Thinkcmf: >> Thinkcmf Security Vulnerabilities
ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-04-25
Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.
CVSS Score
5.4
EPSS Score
0.004
Published
2023-08-11
ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.
CVSS Score
8.8
EPSS Score
0.002
Published
2022-12-01
ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's PHP session token (PHPSESSID).
CVSS Score
5.4
EPSS Score
0.001
Published
2022-12-01
thinkcmf v5.1.7 has an unauthorized vulnerability. The attacker can modify the password of the administrator account with id 1 through the background user management group permissions. The use condition is that the background user management group authority is required.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-06-14
An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet.
CVSS Score
9.8
EPSS Score
0.005
Published
2021-12-22
Cross Site Request Forgery (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-07-14
ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admin_category/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection.
CVSS Score
8.8
EPSS Score
0.581
Published
2019-02-07
app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a file_put_contents call.
CVSS Score
9.8
EPSS Score
0.012
Published
2019-01-23
ThinkCMF X2.2.2 has SQL Injection via the functions check() and delete() in CommentadminController.class.php and is exploitable with the manager privilege via the ids[] parameter in a commentadmin action.
CVSS Score
7.2
EPSS Score
0.003
Published
2018-12-06
Page 1