Vulnerabilities (CVE)

Filtered by vendor Gxlcms Subscribe

Filtered by product Gxlcms

Total 9 CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2020-20975	1 Gxlcms	1 Gxlcms	2024-02-04	7.5 HIGH	9.8 CRITICAL
In \lib\admin\action\dataaction.class.php in Gxlcms v1.1, SQL Injection exists via the $filename parameter.
CVE-2018-16437	1 Gxlcms	1 Gxlcms	2024-02-04	4.0 MEDIUM	4.9 MEDIUM
Gxlcms 2.0 before bug fix 20180915 has Directory Traversal exploitable by an administrator.
CVE-2018-14685	1 Gxlcms	1 Gxlcms	2024-02-04	5.0 MEDIUM	9.8 CRITICAL
The add function in www/Lib/Lib/Action/Admin/TplAction.class.php in Gxlcms v1.1.4 allows remote attackers to read arbitrary files via a crafted index.php?s=Admin-Tpl-ADD-id request, related to Lib/Common/Admin/function.php.
CVE-2018-15177	1 Gxlcms	1 Gxlcms	2024-02-04	6.8 MEDIUM	8.8 HIGH
In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account.
CVE-2018-18487	1 Gxlcms	1 Gxlcms	2024-02-04	5.0 MEDIUM	7.5 HIGH
In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, the database backup filename generation uses mt_rand() unsafely, resulting in predictable database backup file locations.
CVE-2018-16436	1 Gxlcms	1 Gxlcms	2024-02-04	6.5 MEDIUM	7.2 HIGH
Gxlcms 2.0 before bug fix 20180915 has SQL Injection exploitable by an administrator.
CVE-2018-16655	1 Gxlcms	1 Gxlcms	2024-02-04	4.3 MEDIUM	6.1 MEDIUM
Gxlcms 1.0 has XSS via the PATH_INFO to gx/lib/ThinkPHP/Tpl/ThinkException.tpl.php.
CVE-2018-18488	1 Gxlcms	1 Gxlcms	2024-02-04	7.5 HIGH	9.8 CRITICAL
In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, SQL Injection exists via the ids[] parameter.
CVE-2017-14979	1 Gxlcms	1 Gxlcms	2024-02-04	5.0 MEDIUM	7.5 HIGH
Gxlcms uses an unsafe character-replacement approach in an attempt to restrict access, which allows remote attackers to read arbitrary files via modified pathnames in the s parameter to index.php, related to Lib/Admin/Action/TplAction.class.php and Lib/Admin/Common/function.php.