Blackcat-Cms: >> Blackcat Cms >> 1.2 Security Vulnerabilities
An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-09-15
In BlackCat CMS 1.2, remote authenticated users can upload any file via the media upload function in backend/media/ajax_upload.php, as demonstrated by a ZIP archive that contains a .php file.
CVSS Score
6.5
EPSS Score
0.001
Published
2017-08-31
BlackCat CMS 1.2 allows remote authenticated users to inject arbitrary PHP code into info.php via a crafted new_modulename parameter to backend/addons/ajax_create.php. NOTE: this can be exploited via CSRF.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-08-31
In BlackCat CMS 1.2, backend/settings/ajax_save_settings.php allows remote authenticated users to conduct XSS attacks via the Website header or Website footer field.
CVSS Score
5.4
EPSS Score
0.001
Published
2017-08-31
In BlackCat CMS 1.2, backend/addons/install.php allows remote authenticated users to execute arbitrary PHP code via a ZIP archive that contains a .php file.
CVSS Score
8.8
EPSS Score
0.005
Published
2017-08-31
Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.
CVSS Score
5.4
EPSS Score
0.012
Published
2017-07-17