Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-03-15
Maccms 8.0 allows XSS via the inc/config/cache.php t_key parameter because template/paody/html/vod_type.html mishandles the keywords parameter, and a/tpl/module/db.php only filters the t_name parameter (not t_key).
CVSS Score
6.1
EPSS Score
0.002
Published
2019-02-27
Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts.
CVSS Score
8.8
EPSS Score
0.005
Published
2018-06-14
Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request.
CVSS Score
9.8
EPSS Score
0.412
Published
2017-12-18
Page 4