5.4.2
6 years ago
3 months ago
Known vulnerabilities in the net.mingsoft:ms-mcms package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the front-end file upload process. An attacker can execute arbitrary commands on the server by uploading a malicious file. How to fix Improper Control of Generation of Code ('Code Injection')? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type via a crafted POST request to How to fix Unrestricted Upload of File with Dangerous Type? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to Information Exposure via a crafted script to the How to fix Information Exposure? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to SQL Injection via the How to fix SQL Injection? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in How to fix Cross-site Scripting (XSS)? Upgrade | [,5.3.2) |
Affected versions of this package are vulnerable to Arbitrary File Upload via a crafted thumbnail. Exploiting this vulnerability might result in arbitrary code execution. Note: This vulnerability impacts only Windows operation system. How to fix Arbitrary File Upload? Upgrade | [,5.1) |
Affected versions of this package are vulnerable to SQL Injection via the How to fix SQL Injection? Upgrade | [,5.1) |
Affected versions of this package are vulnerable to Arbitrary File Upload via the How to fix Arbitrary File Upload? Upgrade | [,5.2.11) |
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization when saving or updating articles. How to fix Cross-site Scripting (XSS)? Upgrade | [0,5.2.11) |
Affected versions of this package are vulnerable to SQL Injection due to improper sanitization, via the How to fix SQL Injection? Upgrade | [,5.2.10) |
Affected versions of this package are vulnerable to SQL Injection via model lists in How to fix SQL Injection? Upgrade | [0,5.2.9) |
Affected versions of this package are vulnerable to SQL Injection via the How to fix SQL Injection? Upgrade | [0,5.2.9) |
Affected versions of this package are vulnerable to Arbitrary File Upload via the How to fix Arbitrary File Upload? Upgrade | [0,5.2.9) |
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) where it's possible to add an administrator account via How to fix Cross-site Request Forgery (CSRF)? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to Arbitrary File Upload by allowing an attacker to execute arbitrary code through a crafted ZIP file. How to fix Arbitrary File Upload? Upgrade | [,5.2.8) |
Affected versions of this package are vulnerable to SQL Injection in How to fix SQL Injection? Upgrade | [,5.2.8) |
Affected versions of this package are vulnerable to SQL Injection in How to fix SQL Injection? Upgrade | [,5.2.8) |
Affected versions of this package are vulnerable to SQL Injection via the How to fix SQL Injection? Upgrade | [0,5.2.9) |
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via How to fix Cross-site Request Forgery (CSRF)? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to SQL Injection via How to fix SQL Injection? Upgrade | [0,5.2.8) |
Affected versions of this package are vulnerable to Remote Code Execution (RCE). By using a freemarker template function called How to fix Remote Code Execution (RCE)? Upgrade | [0,5.2.6) |
Affected versions of this package are vulnerable to SQL Injection via the How to fix SQL Injection? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to SQL Injection via How to fix SQL Injection? Upgrade | [0,5.2.6) |
Affected versions of this package are vulnerable to SQL Injection via How to fix SQL Injection? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to External Control of File Name or Path via the How to fix External Control of File Name or Path? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to Server-side Template Injection (SSTI) via the Template Management module, where it is possible to add a template with a crafted payload in order to execute commands on the underlaying server. How to fix Server-side Template Injection (SSTI)? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to Arbitrary File Upload via the ##PoC
How to fix Arbitrary File Upload? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to Arbitrary File Deletion via the How to fix Arbitrary File Deletion? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to SQL Injection due to improper input sanitization in How to fix SQL Injection? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to SQL Injection via the How to fix SQL Injection? Upgrade | [,5.1) |
Affected versions of this package are vulnerable to Arbitrary File Upload via the How to fix Arbitrary File Upload? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to SQL Injection via the IDictBiz interface, through which the value of How to fix SQL Injection? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to SQL Injection via the IModelDataBiz interface, which requires implementing the How to fix SQL Injection? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to Arbitrary Code Execution in the How to fix Arbitrary Code Execution? Upgrade | [,5.2.6) |
Affected versions of this package are vulnerable to Arbitrary File Upload via the How to fix Arbitrary File Upload? There is no fixed version for | [0,) |
Affected versions of this package are vulnerable to Directory Traversal via the How to fix Directory Traversal? There is no fixed version for | [0,) |