Total
6 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-15600 | 1 Cmsuno Project | 1 Cmsuno | 2022-01-04 | 4.3 MEDIUM | 6.5 MEDIUM |
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password. | |||||
CVE-2021-40889 | 1 Cmsuno Project | 1 Cmsuno | 2021-10-19 | 7.5 HIGH | 9.8 CRITICAL |
CMSUno version 1.7.2 is affected by a PHP code execution vulnerability. sauvePass action in {webroot}/uno/central.php file calls to file_put_contents() function to write username in password.php file when a user successfully changed their password. The attacker can inject malicious PHP code into password.php and then use the login function to execute code. | |||||
CVE-2021-36654 | 1 Cmsuno Project | 1 Cmsuno | 2021-08-11 | 3.5 LOW | 5.4 MEDIUM |
CMSuno 1.7 is vulnerable to an authenticated stored cross site scripting in modifying the filename parameter (tgo) while updating the theme. | |||||
CVE-2020-25538 | 1 Cmsuno Project | 1 Cmsuno | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMSuno 1.6.2 and run this PHP code in the web page. In this way, attacker can takeover the control of the server. | |||||
CVE-2020-25557 | 1 Cmsuno Project | 1 Cmsuno | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server. | |||||
CVE-2018-15567 | 1 Cmsuno Project | 1 Cmsuno | 2018-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
CMSUno before 1.5.3 has XSS via the title field. |