Total
10 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44937 | 1 Glfusion | 1 Glfusion | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| glFusion CMS v1.7.9 is affected by an arbitrary user registration vulnerability in /public_html/users.php. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied. | |||||
| CVE-2021-44942 | 1 Glfusion | 1 Glfusion | 2024-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. Using the CSRF vulnerability to trick the administrator to click, an attacker can add a blacklist. | |||||
| CVE-2021-44935 | 1 Glfusion | 1 Glfusion | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| glFusion CMS v1.7.9 is affected by an arbitrary user impersonation vulnerability in /public_html/comment.php. The attacker can complete the attack remotely without interaction. | |||||
| CVE-2021-44949 | 1 Glfusion | 1 Glfusion | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php. | |||||
| CVE-2013-1466 | 1 Glfusion | 1 Glfusion | 2024-02-04 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6) state, (7) title, (8) url, or (9) zipcode parameter to calendar/index.php; (10) title or (11) url parameter to links/index.php; or (12) PATH_INFO to admin/plugins/mediagallery/xppubwiz.php/. | |||||
| CVE-2009-4796 | 1 Glfusion | 1 Glfusion | 2024-02-04 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in the ExecuteQueries function in private/system/classes/listfactory.class.php in glFusion 1.1.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) order and (2) direction parameters to search.php. | |||||
| CVE-2009-1283 | 1 Glfusion | 1 Glfusion | 2024-02-04 | 6.8 MEDIUM | N/A |
| glFusion before 1.1.3 performs authentication with a user-provided password hash instead of a password, which allows remote attackers to gain privileges by obtaining the hash and using it in the glf_password cookie, aka "User Masquerading." NOTE: this can be leveraged with a separate SQL injection vulnerability to steal hashes. | |||||
| CVE-2009-1282 | 1 Glfusion | 1 Glfusion | 2024-02-04 | 7.5 HIGH | N/A |
| SQL injection vulnerability in private/system/lib-session.php in glFusion 1.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the glf_session cookie parameter. | |||||
| CVE-2009-0455 | 1 Glfusion | 1 Glfusion | 2024-02-04 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the anonymous comments feature in lib-comment.php in glFusion 1.1.0, 1.1.1, and earlier versions allows remote attackers to inject arbitrary web script or HTML via the username parameter to comment.php. | |||||
| CVE-2009-1281 | 1 Glfusion | 1 Glfusion | 2024-02-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in glFusion before 1.1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||