Vulnerabilities > Gxlcms > Gxlcms QY > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-07 | CVE-2018-9848 | Code Injection vulnerability in Gxlcms QY 1.0.0713 In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the config[upload_class] value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an Admin-Upload-Upload request. | 7.5 |
| 2018-04-07 | CVE-2018-9847 | Code Injection vulnerability in Gxlcms QY 1.0.0713 In Gxlcms QY v1.0.0713, the update function in Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to execute arbitrary PHP code by placing this code into a template. | 7.5 |
| 2018-04-04 | CVE-2018-9247 | SQL Injection vulnerability in Gxlcms QY 1.0.0713 The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. | 7.5 |