A cross site scripting (XSS) vulnerability in the background search function of Maccms10 allows attackers to execute arbitrary web scripts or HTML via the 'wd' parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-08-11
An arbitrary file deletion vulnerability exists within Maccms10.
CVSS Score
6.5
EPSS Score
0.004
Published
2021-08-11
Maccms through 8.0 allows XSS via the site_keywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/system_config.html, related to template/paody/html/vod_index.html.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-06-07
Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-03-15
Maccms 8.0 allows XSS via the inc/config/cache.php t_key parameter because template/paody/html/vod_type.html mishandles the keywords parameter, and a/tpl/module/db.php only filters the t_name parameter (not t_key).
CVSS Score
6.1
EPSS Score
0.003
Published
2019-02-27
Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts.
CVSS Score
8.8
EPSS Score
0.003
Published
2018-06-14
Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request.
CVSS Score
9.8
EPSS Score
0.4
Published
2017-12-18
Page 4