Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Finecms Subscribe
Total 12 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-16920 1 Finecms 1 Finecms 2019-10-02 7.5 HIGH 9.8 CRITICAL
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php.
CVE-2018-18191 1 Finecms 1 Finecms 2018-11-21 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's password.
CVE-2018-7476 1 Finecms 1 Finecms 2018-03-16 4.3 MEDIUM 6.1 MEDIUM
controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a '<' or '>' character.
CVE-2018-6893 1 Finecms 1 Finecms 2018-03-06 7.5 HIGH 9.8 CRITICAL
controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective filtering.
CVE-2017-16866 1 Finecms 1 Finecms 2017-12-04 4.3 MEDIUM 6.1 MEDIUM
dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field.
CVE-2017-11629 1 Finecms 1 Finecms 2017-08-09 4.3 MEDIUM 6.1 MEDIUM
dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request.
CVE-2017-11581 1 Finecms 1 Finecms 2017-07-28 4.3 MEDIUM 6.1 MEDIUM
dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character.
CVE-2017-11585 1 Finecms 1 Finecms 2017-07-28 7.5 HIGH 9.8 CRITICAL
dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection.
CVE-2017-11586 1 Finecms 1 Finecms 2017-07-28 5.8 MEDIUM 6.1 MEDIUM
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php.
CVE-2017-11583 1 Finecms 1 Finecms 2017-07-27 7.5 HIGH 9.8 CRITICAL
dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php.
CVE-2017-11584 1 Finecms 1 Finecms 2017-07-27 7.5 HIGH 9.8 CRITICAL
dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php.
CVE-2017-11582 1 Finecms 1 Finecms 2017-07-27 7.5 HIGH 9.8 CRITICAL
dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php.