Vulnerabilities > Indexhibit

DATE CVE VULNERABILITY TITLE RISK
2021-08-30 CVE-2020-18121 Incorrect Permission Assignment for Critical Resource vulnerability in Indexhibit 2.1.5
A configuration issue in Indexhibit 2.1.5 allows authenticated attackers to modify .php files, leading to getshell.
network
low complexity
indexhibit CWE-732
8.8
8.8
2021-08-30 CVE-2020-18123 Cross-Site Request Forgery (CSRF) vulnerability in Indexhibit 2.1.5
A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily delete admin accounts.
network
low complexity
indexhibit CWE-352
6.5
6.5
2021-08-30 CVE-2020-18124 Cross-Site Request Forgery (CSRF) vulnerability in Indexhibit 2.1.5
A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily reset account passwords.
network
low complexity
indexhibit CWE-352
5.7
5.7
2021-08-30 CVE-2020-18125 Cross-site Scripting vulnerability in Indexhibit 2.1.5
A reflected cross-site scripting (XSS) vulnerability in the /plugin/ajax.php component of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML.
network
low complexity
indexhibit CWE-79
6.1
6.1
2021-08-30 CVE-2020-18126 Cross-site Scripting vulnerability in Indexhibit 2.1.5
Multiple stored cross-site scripting (XSS) vulnerabilities in the Sections module of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML.
network
low complexity
indexhibit CWE-79
5.4
5.4
2021-08-30 CVE-2020-18127 Path Traversal vulnerability in Indexhibit 2.1.5
An issue in the /config/config.php component of Indexhibit 2.1.5 allows attackers to arbitrarily view files.
network
low complexity
indexhibit CWE-22
6.5
6.5
2019-09-14 CVE-2019-16314 Unspecified vulnerability in Indexhibit 2.1.5
Indexhibit 2.1.5 allows a product reinstallation, with resultant remote code execution, via /ndxzstudio/install.php?p=2.
network
low complexity
indexhibit
critical
 9.8
9.8
2019-02-20 CVE-2019-8954 Improper Input Validation vulnerability in Indexhibit 2.1.5
In Indexhibit 2.1.5, remote attackers can execute arbitrary code via the v parameter (in conjunction with the id parameter) in a upd_jxcode=true action to the ndxzstudio/?a=system URI.
network
low complexity
indexhibit CWE-20
8.8
8.8