Vulnerabilities (CVE)

Filtered by vendor Yzmcms Subscribe
Total 40 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-22394 1 Yzmcms 1 Yzmcms 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
In YzmCMS v5.5 the member contribution function in the editor contains a cross-site scripting (XSS) vulnerability.
CVE-2019-16678 1 Yzmcms 1 Yzmcms 2024-02-04 4.3 MEDIUM 6.5 MEDIUM
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVE-2019-16532 1 Yzmcms 1 Yzmcms 2024-02-04 5.8 MEDIUM 6.1 MEDIUM
An HTTP Host header injection vulnerability exists in YzmCMS V5.3. A malicious user can poison a web cache or trigger redirections.
CVE-2019-9660 1 Yzmcms 1 Yzmcms 2024-02-04 3.5 LOW 4.8 MEDIUM
Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html "catname" parameter.
CVE-2018-16247 1 Yzmcms 1 Yzmcms 2024-02-04 3.5 LOW 5.4 MEDIUM
YzmCMS 5.1 has XSS via the admin/system_manage/user_config_add.html title parameter.
CVE-2019-9661 1 Yzmcms 1 Yzmcms 2024-02-04 3.5 LOW 4.8 MEDIUM
Stored XSS exists in YzmCMS 5.2 via the admin/system_manage/user_config_edit.html "value" parameter,
CVE-2019-9570 1 Yzmcms 1 Yzmcms 2024-02-04 3.5 LOW 4.8 MEDIUM
An issue was discovered in YzmCMS 5.2.0. It has XSS via the bottom text field to the admin/system_manage/save.html URI, related to the site_code parameter.
CVE-2018-20015 1 Yzmcms 1 Yzmcms 2024-02-04 6.8 MEDIUM 8.8 HIGH
YzmCMS v5.2 has admin/role/add.html CSRF.
CVE-2018-17044 1 Yzmcms 1 Yzmcms 2024-02-04 3.5 LOW 4.8 MEDIUM
In YzmCMS 5.1, stored XSS exists via the admin/system_manage/user_config_add.html title parameter.
CVE-2018-19849 1 Yzmcms 1 Yzmcms 2024-02-04 3.5 LOW 4.8 MEDIUM
An issue was discovered in YzmCMS 5.2. XSS exists via the admin/content/search.html searinfo parameter.
CVE-2018-19092 1 Yzmcms 1 Yzmcms 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in YzmCMS v5.2. It has XSS via a search/index/archives/pubtime/ query string, as demonstrated by the search/index/archives/pubtime/1526387722/page/1.html URI. NOTE: this does not obtain a user's cookie.
CVE-2018-7653 1 Yzmcms 1 Yzmcms 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter.
CVE-2018-8756 1 Yzmcms 1 Yzmcms 2024-02-04 6.5 MEDIUM 7.2 HIGH
Eval injection in yzmphp/core/function/global.func.php in YzmCMS v3.7.1 allows remote attackers to achieve arbitrary code execution via PHP code in the POST data of an index.php?m=member&c=member_content&a=init request.
CVE-2018-10224 1 Yzmcms 1 Yzmcms 2024-02-04 6.0 MEDIUM 6.8 MEDIUM
An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add a tag via /index.php/admin/tag/add.html.
CVE-2018-11554 1 Yzmcms 1 Yzmcms 2024-02-04 7.5 HIGH 9.8 CRITICAL
The forgotten-password feature in index.php/member/reset/reset_email.html in YzmCMS v3.2 through v3.7 has a Response Discrepancy Information Exposure issue and an unexpectedly long lifetime for a verification code, which makes it easier for remote attackers to hijack accounts via a brute-force approach.
CVE-2018-7579 1 Yzmcms 1 Yzmcms 2024-02-04 6.5 MEDIUM 7.2 HIGH
\application\admin\controller\update_urls.class.php in YzmCMS 3.6 has SQL Injection via the catids array parameter to admin/update_urls/update_category_url.html.
CVE-2018-7479 1 Yzmcms 1 Yzmcms 2024-02-04 5.0 MEDIUM 5.3 MEDIUM
YzmCMS 3.6 allows remote attackers to discover the full path via a direct request to application/install/templates/s1.php.
CVE-2018-10026 1 Yzmcms 1 Yzmcms 2024-02-04 3.5 LOW 4.8 MEDIUM
The WeChat module in YzmCMS 3.7.1 has reflected XSS via the admin/module/init.html echostr parameter, related to the valid function in application/wechat/controller/index.class.php.
CVE-2018-8078 1 Yzmcms 1 Yzmcms 2024-02-04 3.5 LOW 5.4 MEDIUM
YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adver/edit.html.
CVE-2018-10223 1 Yzmcms 1 Yzmcms 2024-02-04 6.0 MEDIUM 6.8 MEDIUM
An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add an admin account via /index.php/admin/admin_manage/add.html.