Vulnerabilities > Bludit > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-07 | CVE-2020-8812 | Cross-site Scripting vulnerability in Bludit 3.10.0 Bludit 3.10.0 allows Editor or Author roles to insert malicious JavaScript on the WYSIWYG editor. | 5.4 |
| 2020-02-07 | CVE-2020-8811 | Missing Authorization vulnerability in Bludit 3.10.0 ajax/profile-picture-upload.php in Bludit 3.10.0 allows authenticated users to change other users' profile pictures. | 4.0 |
| 2019-10-06 | CVE-2019-17240 | Improper Restriction of Excessive Authentication Attempts vulnerability in Bludit 3.9.2 bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers. | 4.3 |
| 2019-09-08 | CVE-2019-16113 | Path Traversal vulnerability in Bludit 3.9.2 Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname. | 6.5 |
| 2019-06-05 | CVE-2019-12742 | Authorization Bypass Through User-Controlled Key vulnerability in Bludit Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. | 6.5 |
| 2019-06-03 | CVE-2019-12548 | Code Injection vulnerability in Bludit Bludit before 3.9.0 allows remote code execution for an authenticated user by uploading a php file while changing the logo through /admin/ajax/upload-logo. | 6.5 |
| 2018-12-20 | CVE-2018-1000811 | Unrestricted Upload of File with Dangerous Type vulnerability in Bludit 3.0.0 bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. | 6.5 |
| 2018-09-01 | CVE-2018-16313 | Cross-site Scripting vulnerability in Bludit 2.3.4 Bludit 2.3.4 allows XSS via a user name. | 4.3 |