CVE-2018-19404
- EPSS 0.78%
- Published 21.11.2018 00:29:00
- Last modified 21.11.2024 03:57:51
In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and visiting i...
CVE-2018-13025
- EPSS 0.26%
- Published 29.06.2018 17:29:00
- Last modified 21.11.2024 03:46:16
protected/apps/admin/controller/photoController.php in YXcms 1.4.7 allows remote attackers to delete arbitrary files via the index.php?r=admin/photo/delpic picname parameter.
CVE-2018-11003
- EPSS 0.11%
- Published 12.05.2018 04:29:00
- Last modified 21.11.2024 03:42:28
An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel.
CVE-2018-8805
- EPSS 0.24%
- Published 20.03.2018 05:29:00
- Last modified 21.11.2024 04:14:21
Yxcms building system (compatible cell phone) v1.4.7 has XSS via the content parameter to protected\apps\default\view\default\extend_guestbook.php or protected\apps\default\view\mobile\extend_guestbook.php in an index.php?r=default/column/index&col=g...
CVE-2018-8761
- EPSS 0.24%
- Published 19.03.2018 14:29:00
- Last modified 21.11.2024 04:14:15
protected\apps\member\controller\shopcarController.php in Yxcms building system (compatible cell phone) v1.4.7 has a logic flaw allowing attackers to modify a price, before form submission, by observing data in a packet capture.