MidnightBSD

Advisories for aerocms_project

CVE-2022-27061 MEDIUM

AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the Post Image function under the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-27062 LOW

AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Title text field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-27063 MEDIUM

AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via view_all_comments.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-38305

AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the component /admin/profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-38812

AeroCMS 0.1.1 is vulnerable to SQL Injection via the author parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
aerocms_project aerocms 0.1.1
CVE-2022-45329

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-45330

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Category parameter at \category.php. This vulnerability allows attackers to access database information.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-45331

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the p_id parameter at \post.php. This vulnerability allows attackers to access database information.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-45529

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the post_category_id parameter at \admin\includes\edit_post.php. This vulnerability allows attackers to access database information.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-45535

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the edit parameter at \admin\categories.php. This vulnerability allows attackers to access database information.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-45536

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the id parameter at \admin\post_comments.php. This vulnerability allows attackers to access database information.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-46047

AeroCMS v0.0.1 is vulnerable to SQL Injection via the delete parameter.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-46051

The approve parameter from the AeroCMS-v0.0.1 CMS system is vulnerable to SQL injection attacks.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-46058

AeroCMS v0.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-46059

AeroCMS v0.0.1 is vulnerable to Cross Site Request Forgery (CSRF).

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-46061

AeroCMS v0.0.1 is vulnerable to ClickJacking.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-46135

In AeroCms v0.0.1, there is an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-46137

AeroCMS v0.0.1 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: AeroCMS v0.0.1.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2022-50895

Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1
CVE-2023-29847

AeroCMS v0.0.1 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the comment_author and comment_content parameters at /post.php. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via a crafted payload.

Products Affected

Vendor Product Version
aerocms_project aerocms 0.0.1