Monthly Archive: September 2019

Ogma CMS 0.5 has XSS via creation of a new blog. Date published : 2019-09-21 https://github.com/n00dles/ogma-CMS/issues/42

joyplus-cms 1.6.0 has admin_ajax.php?action=savexml&tab=vodplay CSRF. Date published : 2019-09-21 https://github.com/joyplus/joyplus-cms/issues/440

TuziCMS 2.0.6 has index.php/manage/link/do_add CSRF. Date published : 2019-09-21 https://github.com/yeyinshi/tuzicms/issues/3

TuziCMS 2.0.6 has index.php/manage/notice/do_add CSRF. Date published : 2019-09-21 https://github.com/yeyinshi/tuzicms/issues/4

TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrated by index.php/article/group/id/2/. Date published : 2019-09-21 https://github.com/yeyinshi/tuzicms/issues/5

joyplus-cms 1.6.0 allows remote attackers to execute arbitrary PHP code via /install by placing the code in the name of an object in the database. Date published : 2019-09-21 https://github.com/joyplus/joyplus-cms/issues/442

joyplus-cms 1.6.0 allows reinstallation if the install/ URI remains available. Date published : 2019-09-21 https://github.com/joyplus/joyplus-cms/issues/441

The Antioch theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to lib/scripts/download.php. Date published : 2019-09-20 https://packetstormsecurity.com/files/128188/

The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php. Date published : 2019-09-20 https://packetstormsecurity.com/files/128186/

The xpinner-lite plugin through 2.2 for WordPress has wp-admin/options-general.php CSRF with resultant XSS. Date published : 2019-09-20 https://packetstormsecurity.com/files/133593/ https://wordpress.org/plugins/xpinner-lite/#developers

The xpinner-lite plugin through 2.2 for WordPress has xpinner-lite.php XSS. Date published : 2019-09-20 https://packetstormsecurity.com/files/133593/ https://wordpress.org/plugins/xpinner-lite/#developers

Directory traversal vulnerability in the mTheme-Unus theme before 2.3 for WordPress allows an attacker to read arbitrary files via a .. (dot dot) in the files parameter to css/css.php. Date published : 2019-09-20 https://packetstormsecurity.com/files/133778/...

The wp-piwik plugin before 1.0.5 for WordPress has XSS. Date published : 2019-09-20 https://github.com/braekling/WP-Matomo/commit/5110bfdb437a9f19b185ba8af33776fcb5e19940 Connect Matomo (WP-Matomo, WP-Piwik)

The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_keywords XSS. Date published : 2019-09-20 https://packetstormsecurity.com/files/134240/ https://wordpress.org/plugins/neuvoo-jobroll/#developers