Search
Total
4 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-14979 | 1 Gxlcms | 1 Gxlcms | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| Gxlcms uses an unsafe character-replacement approach in an attempt to restrict access, which allows remote attackers to read arbitrary files via modified pathnames in the s parameter to index.php, related to Lib/Admin/Action/TplAction.class.php and Lib/Admin/Common/function.php. | |||||
| CVE-2018-18487 | 1 Gxlcms | 1 Gxlcms | 2018-11-30 | 5.0 MEDIUM | 7.5 HIGH |
| In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, the database backup filename generation uses mt_rand() unsafely, resulting in predictable database backup file locations. | |||||
| CVE-2018-16436 | 1 Gxlcms | 1 Gxlcms | 2018-11-05 | 6.5 MEDIUM | 7.2 HIGH |
| Gxlcms 2.0 before bug fix 20180915 has SQL Injection exploitable by an administrator. | |||||
| CVE-2018-15177 | 1 Gxlcms | 1 Gxlcms | 2018-10-05 | 6.8 MEDIUM | 8.8 HIGH |
| In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account. | |||||