Vulnerabilities > Yxcms > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-06-29 CVE-2018-13025 Incorrect Permission Assignment for Critical Resource vulnerability in Yxcms 1.4.7
protected/apps/admin/controller/photoController.php in YXcms 1.4.7 allows remote attackers to delete arbitrary files via the index.php?r=admin/photo/delpic picname parameter.
network
low complexity
yxcms CWE-732
4.9
4.9
2018-05-12 CVE-2018-11003 Cross-Site Request Forgery (CSRF) vulnerability in Yxcms 1.4.7
An issue was discovered in YXcms 1.4.7.
network
low complexity
yxcms CWE-352
6.5
6.5
2018-03-20 CVE-2018-8805 Cross-site Scripting vulnerability in Yxcms 1.4.7
Yxcms building system (compatible cell phone) v1.4.7 has XSS via the content parameter to protected\apps\default\view\default\extend_guestbook.php or protected\apps\default\view\mobile\extend_guestbook.php in an index.php?r=default/column/index&col=guestbook request.
network
low complexity
yxcms CWE-79
6.1
6.1