| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Cross Site Scripting (XSS) exists in MetInfo 6.0.0 via /feedback/index.php because app/system/feedback/web/feedback.class.php mishandles input data. |
| An issue was discovered in MetInfo 6.0.0. In install/install.php in the installation process, the config/config_db.php configuration file filtering is not rigorous: one can insert malicious code in the installation process to execute arbitrary commands or obtain a web shell. |
| MetInfo 6.x through 6.1.3 has XSS via the /admin/login/login_check.php url_array[] parameter. |
| In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and common.inc.php allows registering variables from the $_COOKIE value. This issue can, for example, be exploited in conjunction with CVE-2018-19835 to bypass many XSS filters such as the Chrome XSS filter. |
| Metinfo 6.1.3 has reflected XSS via the admin/column/move.php lang_columnerr4 parameter. |
| MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword abt_type parameter. |
| MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword langset parameter. |
| XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter. |
| MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in an n=column&a=doadd action. |
| MetInfo 6.1.0 has SQL injection in doexport() in app/system/feedback/admin/feedback_admin.class.php via the class1 field. |
| MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI. |
| MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page. |
| Metinfo v6.0.0 allows remote attackers to write code into a .php file, and execute that code, via the module parameter to admin/column/save.php in an editor upload action. |
| An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271. |
| An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF. |
| Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/index.php. The attack vector is: The administrator clicks on the malicious link in the login state. |
| Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/interface/online/delete.php. The attack vector is: The administrator clicks on the malicious link in the login state. |
| Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in Metinfo 5.3.18 allows remote attackers to inject arbitrary web script or HTML via the (1) class1 parameter or the (2) anyid parameter. |
