Vulnerabilities > Runcms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2009-10-27 | CVE-2009-3815 | Information Exposure vulnerability in Runcms 2M1 RunCMS 2M1, when running with certain error_reporting levels, allows remote attackers to obtain sensitive information via (1) the op[] parameter to modules/contact/index.php or (2) uid[] parameter to userinfo.php, which leaks the installation path in an error message when these parameters are used in a call to the preg_match function. | 5.0 |
| 2009-10-27 | CVE-2009-3814 | Code Injection vulnerability in Runcms 2M1 Static code injection vulnerability in RunCMS 2M1 allows remote authenticated administrators to execute arbitrary PHP code via the "Filter/Banning" feature, as demonstrated by modifying modules/system/cache/bademails.php using the "Prohibited: Emails" action, and other unspecified filters. | 6.5 |
| 2009-10-27 | CVE-2009-3813 | SQL Injection vulnerability in Runcms 2M1 Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via the (1) forum parameter to modules/forum/post.php and possibly (2) forum_id variable to modules/forum/class/class.permissions.php. | 6.5 |
| 2009-10-27 | CVE-2009-3804 | SQL Injection vulnerability in Runcms 2M1 Multiple SQL injection vulnerabilities in modules/forum/post.php in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via (1) the pid parameter, which is not properly handled by the store function in modules/forum/class/class.forumposts.php, or (2) the topic_id parameter. | 6.5 |
| 2009-09-14 | CVE-2008-7222 | Cross-Site Scripting vulnerability in Runcms 1.6.1 Cross-site scripting (XSS) vulnerability in system/admin.php in RunCMS 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the rank_title parameter in a RankForumAdd action. | 4.3 |
| 2009-09-14 | CVE-2008-7221 | Cross-Site Request Forgery (CSRF) vulnerability in Runcms 1.6.1 Cross-site request forgery (CSRF) vulnerability in RunCMS 1.6.1 allows remote attackers to hijack the authentication of administrators for requests that (1) add new administrators or (2) modify user profiles via a crafted request to system/admin.php. | 6.8 |
| 2008-03-24 | CVE-2008-1462 | SQL Injection vulnerability in Runcms SQL injection vulnerability in the sections (Section) module in RunCMS allows remote attackers to execute arbitrary SQL commands via the artid parameter in a viewarticle action. | 6.8 |
| 2007-12-28 | CVE-2007-6547 | Input Validation vulnerability in RunCMS RunCMS before 1.6.1 does not require entry of the old password during a password change, which allows context-dependent attackers to change passwords upon obtaining temporary access to a session. network runcms | 6.8 |
| 2007-12-28 | CVE-2007-6546 | Input Validation vulnerability in RunCMS RunCMS before 1.6.1 uses a predictable session id, which makes it easier for remote attackers to hijack sessions via a modified id. | 6.4 |
| 2007-12-28 | CVE-2007-6545 | Cross-Site Scripting vulnerability in Runcms Multiple cross-site scripting (XSS) vulnerabilities in RunCMS before 1.6.1 allow remote attackers to inject arbitrary web script or HTML via (1) the subject parameter to modules/news/submit.php; (2) the PATH_INFO to modules/news/index.php, possibly related to the XoopsPageNav class; or (3) an avatar image to edituser.php. | 4.3 |