Vulnerabilities > Gxlcms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-08 | CVE-2018-9850 | Path Traversal vulnerability in Gxlcms QY 1.0.0713 In Gxlcms QY v1.0.0713, Lib\Lib\Action\Admin\DataAction.class.php allows remote attackers to delete any file via directory traversal sequences in the id parameter of an Admin-Data-del request. | 7.5 |
| 2018-04-07 | CVE-2018-9848 | Code Injection vulnerability in Gxlcms QY 1.0.0713 In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the config[upload_class] value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an Admin-Upload-Upload request. | 9.8 |
| 2018-04-07 | CVE-2018-9847 | Code Injection vulnerability in Gxlcms QY 1.0.0713 In Gxlcms QY v1.0.0713, the update function in Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to execute arbitrary PHP code by placing this code into a template. | 9.8 |
| 2018-04-04 | CVE-2018-9247 | SQL Injection vulnerability in Gxlcms QY 1.0.0713 The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. | 9.8 |
| 2017-10-03 | CVE-2017-14979 | Unspecified vulnerability in Gxlcms Gxlcms uses an unsafe character-replacement approach in an attempt to restrict access, which allows remote attackers to read arbitrary files via modified pathnames in the s parameter to index.php, related to Lib/Admin/Action/TplAction.class.php and Lib/Admin/Common/function.php. | 7.5 |