Vulnerabilities > Xpressengine > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-02-09 CVE-2021-44911 Cross-site Scripting vulnerability in Xpressengine
XE before 1.11.6 is vulnerable to Unrestricted file upload via modules/menu/menu.admin.controller.php.
network
low complexity
xpressengine CWE-79
5.4
5.4
2022-02-09 CVE-2021-44912 Cross-site Scripting vulnerability in Xpressengine
In XE 1.116, when uploading the Normal button, there is no restriction on the file suffix, which leads to any file uploading to the files directory.
network
low complexity
xpressengine CWE-79
5.4
5.4