Nenfo

Name of the Vulnerable Software and Affected Versions: Wcms version 0.3.2 Description: A Reflected Cross Site Scripting (XSS) issue was discovered, allowing remote attackers to inject arbitrary web script and HTML via the `type` parameter to "wex/cssjs.php". Recommendations: For Wcms version 0.3.2, consider restricting access to the "wex/cssjs.php" endpoint until a patch is available, and avoid using the `type` parameter in this endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Wcms version 0.3.2 Description: The issue allows an attacker to read arbitrary files on the server via the `pagename` parameter to "wex/html.php" API endpoint. Recommendations: For Wcms version 0.3.2, avoid using the `pagename` parameter in the "wex/html.php" API endpoint until the issue is resolved. Consider restricting access to the "wex/html.php" endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Wcms version 0.3.2 Description: A directory traversal issue allows an attacker to read arbitrary files on the server via the `path` parameter to "wex/cssjs.php". Recommendations: For Wcms version 0.3.2, avoid using the `path` parameter in the "wex/cssjs.php" endpoint until the issue is resolved. Consider restricting access to the "wex/cssjs.php" endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: wcms version 0.3.2 Description: A Cross Site Scripting (XSS) issue allows remote attackers to inject arbitrary web script and HTML via the `pagename` parameter to "wex/html.php" API endpoint. Recommendations: For version 0.3.2, avoid using the `pagename` parameter in the "wex/html.php" API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Wcms version 0.3.2 Description: The issue allows an attacker to send crafted requests from the back-end server of a vulnerable web application via the `path` parameter to "wex/cssjs.php". This can be used to identify open ports, local network hosts, and execute commands on local services. Recommendations: For Wcms version 0.3.2, consider restricting access to the "wex/cssjs.php" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `path` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Wcms version 0.3.2 Description: The issue allows an attacker to send crafted requests from the back-end server of a vulnerable web application via the `pagename` parameter to "wex/html.php". This can be used to identify open ports, local network hosts, and execute commands on local services. Recommendations: For Wcms version 0.3.2, consider restricting access to the "wex/html.php" endpoint and limiting the use of the `pagename` parameter until a fix is available. As a temporary workaround, restrict the functionality that allows sending crafted requests from the back-end server to minimize the risk of exploitation.