MidnightBSD

Advisories for bosscms

CVE-2022-28606 HIGH

An arbitrary file upload vulnerability exists in Wenzhou Huoyin Information Technology Co., Ltd. BossCMS 1.0, which can be exploited by an attacker to gain control of the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
bosscms bosscms 1.0.0
CVE-2022-44937

Bosscms v2.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Add function under the Administrator List module.

Products Affected

Vendor Product Version
bosscms bosscms 2.0.0
CVE-2024-22938

Insecure Permissions vulnerability in BossCMS v.1.3.0 allows a local attacker to execute arbitrary code and escalate privileges via the init function in admin.class.php component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
bosscms bosscms 1.3.0
CVE-2024-31613

BOSSCMS v3.10 is vulnerable to Cross Site Request Forgery (CSRF) in name="head_code" or name="foot_code."

Products Affected

Vendor Product Version
bosscms bosscms 3.10.0