cbcvebase.

Fiyo Cms vulnerabilities

26 known vulnerabilities affecting fiyo/fiyo_cms.

Total CVEs
26
CISA KEV
0
Public exploits
6
Exploited in wild
0
Severity breakdown
CRITICAL13HIGH8MEDIUM5

Vulnerabilities

Page 1 of 2
CVE-2014-9148P2CRITICALCVSS 9.8PoC≤ 2.0.1.82017-10-16
CVE-2014-9148 [CRITICAL] CWE-284 CVE-2014-9148: Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
nvd
CVE-2015-3934P2CRITICALCVSS 9.8PoCv2.0.1.9.12017-11-21
CVE-2015-3934 [CRITICAL] CWE-89 CVE-2015-3934: Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbit Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.
nvd
CVE-2017-6823P3HIGHCVSS 8.8PoCv2.0.6.12017-03-12
CVE-2017-6823 [HIGH] CWE-294 CVE-2017-6823: Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action.
nvd
CVE-2014-9147P3HIGHCVSS 7.5PoC≤ 2.0.1.82017-10-16
CVE-2014-9147 [HIGH] CWE-200 CVE-2014-9147: Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
nvd
CVE-2014-9145P3HIGHCVSS 7.5PoCv2.0.1.82015-04-14
CVE-2014-9145 [HIGH] CWE-89 CVE-2014-9145: Multiple SQL injection vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to execute arbitra Multiple SQL injection vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an edit action to dapur/index.php; (2) cat, (3) user, or (4) level parameter to dapur/apps/app_article/controller/article_list.php; or (5) email parameter in an email action or (6) username parameter in a user ac
nvd
CVE-2017-7625P3CRITICALCVSS 9.8v2.0v2.0.1.6+4 more2017-04-10
CVE-2017-7625 [CRITICAL] CWE-94 CVE-2017-7625: In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the content parameter to "/dapur/ In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the content parameter to "/dapur/apps/app_theme/libs/save_file.php" and then execute code.
nvd
CVE-2017-11416P3CRITICALCVSS 9.8v2.0.72017-07-18
CVE-2017-11416 [CRITICAL] CWE-89 CVE-2017-11416: Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter. Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter.
nvd
CVE-2017-17103P3HIGHCVSS 8.8v2.0.72017-12-04
CVE-2017-17103 [HIGH] CWE-89 CVE-2017-17103: Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_POST[name] or $_POST[email]. T Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_POST[name] or $_POST[email]. This vulnerability can lead to escalation from normal user privileges to administrator privileges.
nvd
CVE-2017-11418P3CRITICALCVSS 9.8v2.0.72017-07-18
CVE-2017-11418 [CRITICAL] CWE-89 CVE-2017-11418: Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['ca Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['cat'], $_GET['user'], $_GET['level'], and $_GET['iSortCol_'.$i].
nvd
CVE-2017-11415P3CRITICALCVSS 9.8v2.0.72017-07-18
CVE-2017-11415 [CRITICAL] CWE-89 CVE-2017-11415: Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], $_POST['desc'], $_POST['keys'], and $_POST['level'].
nvd
CVE-2017-11354P3CRITICALCVSS 9.8v2.0.72017-07-17
CVE-2017-11354 [CRITICAL] CWE-89 CVE-2017-11354: Fiyo CMS v2.0.7 has an SQL injection vulnerability in dapur/apps/app_article/sys_article.php via the Fiyo CMS v2.0.7 has an SQL injection vulnerability in dapur/apps/app_article/sys_article.php via the name parameter in editing or adding a tag name.
nvd
CVE-2017-11631P3CRITICALCVSS 9.8v2.0.72017-07-26
CVE-2017-11631 [CRITICAL] CWE-89 CVE-2017-11631: dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL injection via the id parameter. dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL injection via the id parameter.
nvd
CVE-2017-11630P3HIGHCVSS 7.5v2.0.72017-07-26
CVE-2017-11630 [HIGH] CWE-22 CVE-2017-11630: dapur\apps\app_config\controller\backuper.php in Fiyo CMS 2.0.7 allows remote attackers to delete ar dapur\apps\app_config\controller\backuper.php in Fiyo CMS 2.0.7 allows remote attackers to delete arbitrary files via directory traversal sequences in the file parameter in a type=database request, a different vulnerability than CVE-2017-8853.
nvd
CVE-2017-11417P3CRITICALCVSS 9.8v2.0.72017-07-18
CVE-2017-11417 [CRITICAL] CWE-89 CVE-2017-11417: Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET[' Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET['id'].
nvd
CVE-2017-11413P3CRITICALCVSS 9.8v2.0.72017-07-18
CVE-2017-11413 [CRITICAL] CWE-89 CVE-2017-11413: Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET[' Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET['id'].
nvd
CVE-2017-11414P3CRITICALCVSS 9.8v2.0.72017-07-18
CVE-2017-11414 [CRITICAL] CWE-89 CVE-2017-11414: Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_ Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_POST['name'], $_POST['web'], $_POST['email'], $_POST['status'], $_POST['id'], and $_REQUEST['id'].
nvd
CVE-2017-11419P3CRITICALCVSS 9.8v2.0.72017-07-18
CVE-2017-11419 [CRITICAL] CWE-89 CVE-2017-11419: Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_P Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_POST['art_title'].
nvd
CVE-2017-11412P3CRITICALCVSS 9.8v2.0.72017-07-18
CVE-2017-11412 [CRITICAL] CWE-89 CVE-2017-11412: Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET[' Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET['id'].
nvd
CVE-2017-17104P3HIGHCVSS 7.5v2.0.72017-12-04
CVE-2017-17104 [HIGH] CWE-200 CVE-2017-17104: Fiyo CMS 2.0.7 has an arbitrary file read vulnerability in dapur/apps/app_theme/libs/check_file.php Fiyo CMS 2.0.7 has an arbitrary file read vulnerability in dapur/apps/app_theme/libs/check_file.php via $_GET['src'] or $_GET['name'].
nvd
CVE-2017-8853P3HIGHCVSS 7.5v2.0.72017-05-09
CVE-2017-8853 [HIGH] CWE-22 CVE-2017-8853: Fiyo CMS v2.0.7 has an arbitrary file delete vulnerability in dapur/apps/app_config/controller/backu Fiyo CMS v2.0.7 has an arbitrary file delete vulnerability in dapur/apps/app_config/controller/backuper.php via directory traversal in the file parameter during an act=db action.
nvd
Fiyo Cms vulnerabilities | cvebase