A vulnerability was found in OTCMS 6.72. It has been declared as problematic. Affected by this vulnerability is the function AutoRun of the file apiRun.php. The manipulation of the argument mode leads to cross site scripting. The attack can be launched remotely. The identifier VDB-224017 was assigned to this vulnerability.
CVSS Score
3.5
EPSS Score
0.003
Published
2023-03-25
OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheckFile_deal.php blocks "into outfile" in a SELECT statement, but does not block the "into/**/outfile" manipulation. Therefore, the attacker can create a .php file.
CVSS Score
7.2
EPSS Score
0.011
Published
2019-10-09
OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, leading to creation of a new management group account, as demonstrated by superadmin.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-10-09
OTCMS 3.81 allows XSS via the mode parameter in an apiRun.php?mudi=autoRun request.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-07-19
OTCMS 3.61 allows remote attackers to execute arbitrary PHP code via the accBackupDir parameter.
CVSS Score
8.1
EPSS Score
0.007
Published
2018-09-23
An issue was discovered in OTCMS 3.61. XSS exists in admin/users.php via these parameters: dataTypeCN dataMode dataModeStr.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-09-16
An issue was discovered in OTCMS 3.61. XSS exists in admin/share_switch.php via these parameters: fieldName fieldName2 tabName.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-09-16
OTCMS 3.20 allows XSS by adding a keyword or link to an article, as demonstrated by an admin/keyWord_deal.php?mudi=add request.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-03-24
Page 2