Vulnerabilities > Gxlcms > Critical

DATE CVE VULNERABILITY TITLE RISK
2021-08-12 CVE-2020-20975 SQL Injection vulnerability in Gxlcms 1.1
In \lib\admin\action\dataaction.class.php in Gxlcms v1.1, SQL Injection exists via the $filename parameter.
network
low complexity
gxlcms CWE-89
critical
 9.8
9.8
2018-10-18 CVE-2018-18488 SQL Injection vulnerability in Gxlcms 2.0
In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, SQL Injection exists via the ids[] parameter.
network
low complexity
gxlcms CWE-89
critical
 9.8
9.8
2018-07-28 CVE-2018-14685 Information Exposure vulnerability in Gxlcms 1.1.4
The add function in www/Lib/Lib/Action/Admin/TplAction.class.php in Gxlcms v1.1.4 allows remote attackers to read arbitrary files via a crafted index.php?s=Admin-Tpl-ADD-id request, related to Lib/Common/Admin/function.php.
network
low complexity
gxlcms CWE-200
critical
 9.8
9.8
2018-04-08 CVE-2018-9852 Information Exposure vulnerability in Gxlcms QY 1.0.0713
In Gxlcms QY v1.0.0713, Lib\Lib\Action\Home\HitsAction.class.php allows remote attackers to read data from a database by embedding a FROM clause in a query string within a Home-Hits request, as demonstrated hy sid=user,password%20from%20mysql.user%23.
network
low complexity
gxlcms CWE-200
critical
 9.8
9.8
2018-04-07 CVE-2018-9848 Code Injection vulnerability in Gxlcms QY 1.0.0713
In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the config[upload_class] value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an Admin-Upload-Upload request.
network
low complexity
gxlcms CWE-94
critical
 9.8
9.8
2018-04-07 CVE-2018-9847 Code Injection vulnerability in Gxlcms QY 1.0.0713
In Gxlcms QY v1.0.0713, the update function in Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to execute arbitrary PHP code by placing this code into a template.
network
low complexity
gxlcms CWE-94
critical
 9.8
9.8
2018-04-04 CVE-2018-9247 SQL Injection vulnerability in Gxlcms QY 1.0.0713
The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter.
network
low complexity
gxlcms CWE-89
critical
 9.8
9.8