Shodan
Vulnerabilities
Vulnerable Software
Thedaylightstudio:  >> Fuel Cms  Security Vulnerabilities
CVE-2020-24791
FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVSS Score
9.8
EPSS Score
0.048
Published
2021-03-10
CVE-2020-28705
FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3.
CVSS Score
4.3
EPSS Score
0.001
Published
2021-03-10
CVE-2020-26045
FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVSS Score
9.8
EPSS Score
0.01
Published
2021-01-05
CVE-2020-26046
FUEL CMS 1.4.11 has stored XSS in Blocks/Navigation/Site variables. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account and also impact other visitors.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-01-05
CVE-2020-26167
In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.
CVSS Score
9.8
EPSS Score
0.03
Published
2020-11-04
CVE-2020-17463
Known exploited
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
CVSS Score
9.8
EPSS Score
0.118
Published
2020-08-13
CVE-2019-15228
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
CVSS Score
5.4
EPSS Score
0.004
Published
2019-08-20
CVE-2019-15229
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-08-20
CVE-2018-20188
FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-12-17
CVE-2018-20136
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-12-13


Products
Pricing
Contact Us

Shodan ® - All rights reserved