Metinfo: >> Metinfo Security Vulnerabilities
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-10-16
MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in an n=column&a=doadd action.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-10-15
MetInfo 6.1.0 has SQL injection in doexport() in app/system/feedback/admin/feedback_admin.class.php via the class1 field.
CVSS Score
4.9
EPSS Score
0.003
Published
2018-09-17
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-07-20
MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-07-20
Metinfo v6.0.0 allows remote attackers to write code into a .php file, and execute that code, via the module parameter to admin/column/save.php in an editor upload action.
CVSS Score
7.2
EPSS Score
0.007
Published
2018-06-29
An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF.
CVSS Score
6.5
EPSS Score
0.005
Published
2018-06-18
An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271.
CVSS Score
9.8
EPSS Score
0.009
Published
2018-06-18
The front page of MetInfo 6.0 allows XSS by sending a feedback message to an administrator.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-04-10
The reset-password feature in MetInfo 6.0 allows remote attackers to change arbitrary passwords via vectors involving a Host HTTP header that is modified to specify a web server under the attacker's control.
CVSS Score
8.8
EPSS Score
0.004
Published
2018-04-10