YzmCMS v6.3 is affected by broken access control. Without login, unauthorized access to the user's personal home page can be realized. It is necessary to judge the user's login status before accessing the personal home page, but the vulnerability can access other users' home pages through the non login status because real authentication is not carried out.
CVSS Score
9.1
EPSS Score
0.003
Published
2022-03-10
YzmCMS v6.3 is affected by Cross Site Request Forgery (CSRF) in /admin.add
CVSS Score
8.8
EPSS Score
0.001
Published
2022-02-15
YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /admin/admin_manage/delete.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-01-28
YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgey (CSRF) via the component /yzmcms/comment/index/init.html.
CVSS Score
8.8
EPSS Score
0.004
Published
2022-01-28
The comment function in YzmCMS v6.3 was discovered as being able to be operated concurrently, allowing attackers to create an unusually large number of comments.
CVSS Score
5.3
EPSS Score
0.003
Published
2022-01-28