Yzmcms: Security Vulnerabilities
A storage XSS vulnerability is found in YzmCMS v5.8, which can be used by attackers to inject JS code and attack malicious XSS on the /admin/system_manage/user_config_edit.html page.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-06-03
An issue was discovered in YzmCMS V5.8. There is a CSRF vulnerability that can add member user accounts via member/member/add.html.
CVSS Score
4.3
EPSS Score
0.001
Published
2021-06-03
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
CVSS Score
5.4
EPSS Score
0.001
Published
2021-05-10
Cross Site Scripting (XSS) in yzmCMS v5.2 allows remote attackers to execute arbitrary code by injecting commands into the "referer" field of a POST request to the component "/member/index/login.html" when logging in.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-04-30
In YzmCMS v5.5 the member contribution function in the editor contains a cross-site scripting (XSS) vulnerability.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-11-19
An HTTP Host header injection vulnerability exists in YzmCMS V5.3. A malicious user can poison a web cache or trigger redirections.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-09-26
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-09-21
YzmCMS 5.1 has XSS via the admin/system_manage/user_config_add.html title parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-06-20
Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html "catname" parameter.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-03-11