Kyrie403

#9377de 53,635
29.4CVSS total
Vulnerabilidades · 3
Crítica
3
PT-2019-11990
9.8
2019-04-01
74Cms · 74Cms · CVE-2019-10684
**Name of the Vulnerable Software and Affected Versions** 74cms version 5.0.1 **Description** The issue allows remote attackers to execute arbitrary PHP code. This is achieved via the `site domain` parameter in the `/index.php?m=Admin&c=config&a=edit` API endpoint. **Recommendations** For version 5.0.1, as a temporary workaround, consider restricting access to the `edit` action in the `ConfigController` to minimize the risk of exploitation. Avoid using the `site domain` parameter in the affected API endpoint until the issue is resolved.
PT-2019-11962
9.8
2019-03-30
Zzcms · Zzcms · CVE-2019-10647
**Name of the Vulnerable Software and Affected Versions** ZZZCMS zzzphp version 1.6.3 **Description** The issue allows remote attackers to execute arbitrary PHP code via a .php URL in the "plugins/ueditor/php/controller.php?action=catchimage" API endpoint, specifically through the `source[]` parameter, due to a lack of restrictions in inc/zzz file.php. This can be exploited by providing a URL such as "http://192.168.0.1/test.php" if the web server at 192.168.0.1 does not interpret .php files and instead sends their contents. **Recommendations** For ZZZCMS zzzphp version 1.6.3, consider restricting access to the "plugins/ueditor/php/controller.php?action=catchimage" API endpoint and limiting the use of the `source[]` parameter until a patch is available. Additionally, ensure that any web server used in conjunction with this software interprets .php files correctly to prevent exploitation.
PT-2019-11678
9.8
2019-03-29
Western Bridge · Western Bridge Cobub Razor · CVE-2019-10276
**Name of the Vulnerable Software and Affected Versions** Western Bridge Cobub Razor version 0.8.0 **Description** The issue concerns a file upload vulnerability. This vulnerability can be exploited via the "web/assets/swf/uploadify.php" URI. An example of exploitation involves uploading a .php file with the `content type` set to `image/jpeg`. **Recommendations** For version 0.8.0, consider restricting access to the "web/assets/swf/uploadify.php" URI to prevent unauthorized file uploads until a fix is available. As a temporary workaround, monitor file uploads closely to detect and prevent potential malicious activity.