Cmsuno Project Cmsuno vulnerabilities
5 known vulnerabilities affecting cmsuno_project/cmsuno.
Total CVEs
5
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2020-25557P2HIGHCVSS 8.8PoCv1.6.22020-11-13
CVE-2020-25557 [HIGH] CWE-94 CVE-2020-25557: In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her us
In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server.
nvd
CVE-2020-25538P2HIGHCVSS 8.8PoCv1.6.22020-11-13
CVE-2020-25538 [HIGH] CWE-94 CVE-2020-25538: An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file i
An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMSuno 1.6.2 and run this PHP code in the web page. In this way, attacker can takeover the control of the server.
nvd
CVE-2020-15600P3MEDIUMCVSS 6.5PoCfixed in 1.6.12020-07-07
CVE-2020-15600 [MEDIUM] CWE-352 CVE-2020-15600: An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
nvd
CVE-2021-40889P3CRITICALCVSS 9.8v1.7.22021-10-11
CVE-2021-40889 [CRITICAL] CWE-94 CVE-2021-40889: CMSUno version 1.7.2 is affected by a PHP code execution vulnerability. sauvePass action in {webroot
CMSUno version 1.7.2 is affected by a PHP code execution vulnerability. sauvePass action in {webroot}/uno/central.php file calls to file_put_contents() function to write username in password.php file when a user successfully changed their password. The attacker can inject malicious PHP code into password.php and then use the login function to execu
nvd
CVE-2021-36654P4MEDIUMCVSS 5.4PoCv1.72021-08-03
CVE-2021-36654 [MEDIUM] CWE-79 CVE-2021-36654: CMSuno 1.7 is vulnerable to an authenticated stored cross site scripting in modifying the filename p
CMSuno 1.7 is vulnerable to an authenticated stored cross site scripting in modifying the filename parameter (tgo) while updating the theme.
nvd