Security Vulnerabilities - CVEs Published In 2018
JEECMS 9.3 has CSRF via the api/admin/role/save URI to add a user.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-11-26
JTBC(PHP) 3.0.1.7 has CSRF via the console/xml/manage.php?type=action&action=edit URI, as demonstrated by an XSS payload in the content parameter.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-11-26
JTBC(PHP) 3.0.1.7 has XSS via the console/xml/manage.php?type=action&action=edit content parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-11-26
index.php?r=site%2Flogin in EduSec through 4.2.6 does not restrict sending a series of LoginForm[username] and LoginForm[password] parameters, which might make it easier for remote attackers to obtain access via a brute-force approach.
CVSS Score
9.8
EPSS Score
0.004
Published
2018-11-26
Interspire Email Marketer through 6.1.6 has SQL Injection via a tagids Delete action to Dynamiccontenttags.php.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-11-26
Interspire Email Marketer through 6.1.6 allows arbitrary file upload via a surveys_submit.php "create survey and submit survey" operation, which can cause a .php file to be accessible under a admin/temp/surveys/ URI.
CVSS Score
8.8
EPSS Score
0.02
Published
2018-11-26
Interspire Email Marketer through 6.1.6 has SQL Injection via a checkduplicatetags tagname request to Dynamiccontenttags.php.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-11-26
Interspire Email Marketer through 6.1.6 has SQL Injection via a deleteblock blockid[] request to Dynamiccontenttags.php.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-11-26
Interspire Email Marketer through 6.1.6 has SQL Injection via an updateblock sortorder request to Dynamiccontenttags.php
CVSS Score
8.8
EPSS Score
0.002
Published
2018-11-26
An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-11-26