Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Naviwebs Subscribe
Total 32 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-28117 1 Naviwebs 1 Navigate Cms 2022-05-12 4.0 MEDIUM 4.9 MEDIUM
A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter.
CVE-2020-14014 1 Naviwebs 1 Navigate Cms 2022-04-30 3.5 LOW 5.4 MEDIUM
An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS.
CVE-2021-44299 1 Naviwebs 1 Navigate Cms 2022-01-25 3.5 LOW 5.4 MEDIUM
A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2021-44351 1 Naviwebs 1 Navigate Cms 2022-01-12 5.0 MEDIUM 7.5 HIGH
An arbitrary file read vulnerability exists in NavigateCMS 2.9 via /navigate/navigate_download.php id parameter.
CVE-2021-36455 1 Naviwebs 1 Navigate Cms 2021-08-13 6.5 MEDIUM 8.8 HIGH
SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in \lib\packages\comments\comments.php.
CVE-2021-36454 1 Naviwebs 1 Navigate Cms 2021-08-12 3.5 LOW 5.4 MEDIUM
Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backups\backups.php, 2) blocks\blocks.php, 3) brands\brands.php, 4) comments\comments.php, 5) coupons\coupons.php, 6) feeds\feeds.php, 7) functions\functions.php, 8) items\items.php, 9) menus\menus.php, 10) orders\orders.php, 11) payment_methods\payment_methods.php, 12) products\products.php, 13) profiles\profiles.php, 14) shipping_methods\shipping_methods.php, 15) templates\templates.php, 16) users\users.php, 17) webdictionary\webdictionary.php, 18) websites\websites.php, and 19) webusers\webusers.php because the initial_url function is built in these files.
CVE-2021-37478 1 Naviwebs 1 Navigatecms 2021-08-03 7.5 HIGH 9.8 CRITICAL
In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database.
CVE-2020-23242 1 Naviwebs 1 Navigatecms 2021-07-30 3.5 LOW 4.8 MEDIUM
Cross Site Scripting (XSS) vulnerability in NavigateCMS 2.9 when performing a Create or Edit via the Tools feature.
CVE-2020-23243 1 Naviwebs 1 Navigatecms 2021-07-30 3.5 LOW 4.8 MEDIUM
Cross Site Scripting (XSS) vulnerability in NavigateCMS NavigateCMS 2.9 via the name="wrong_path_redirect" feature.
CVE-2021-37475 1 Naviwebs 1 Navigatecms 2021-07-28 7.5 HIGH 9.8 CRITICAL
In NavigateCMS version 2.9.4 and below, function in `templates.php` is vulnerable to sql injection on parameter `template-properties-order`, which results in arbitrary sql query execution in the backend database.
CVE-2021-37476 1 Naviwebs 1 Navigatecms 2021-07-28 7.5 HIGH 9.8 CRITICAL
In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the backend database.
CVE-2021-37477 1 Naviwebs 1 Navigatecms 2021-07-28 7.5 HIGH 9.8 CRITICAL
In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database.
CVE-2021-37473 1 Naviwebs 1 Navigatecms 2021-07-28 7.5 HIGH 9.8 CRITICAL
In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the backend database.
CVE-2020-23711 1 Naviwebs 1 Navigate Cms 2021-07-01 7.5 HIGH 9.8 CRITICAL
SQL Injection vulnerability in NavigateCMS 2.9 via the URL encoded GET input category in navigate.php.
CVE-2020-23654 1 Naviwebs 1 Navigatecms 2020-08-26 3.5 LOW 5.4 MEDIUM
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) via the module "Shop."
CVE-2020-23655 1 Naviwebs 1 Navigatecms 2020-08-26 3.5 LOW 5.4 MEDIUM
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."
CVE-2020-23656 1 Naviwebs 1 Navigatecms 2020-08-26 3.5 LOW 5.4 MEDIUM
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Content."
CVE-2020-23657 1 Naviwebs 1 Navigatecms 2020-08-26 3.5 LOW 5.4 MEDIUM
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."
CVE-2020-14016 1 Naviwebs 1 Navigate Cms 2020-06-29 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature returns a not_found message when the provided username or email address does not match a user in the system. This can be used to enumerate users.
CVE-2020-14015 1 Naviwebs 1 Navigate Cms 2020-06-29 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them to reset their password. There is, however, a flaw when no activation code is supplied. The system will allow an unauthorized user to continue setting a password, even though no activation code was supplied, setting the password for the most recently created user in the system (the user with the highest user id).