MidnightBSD

Advisories for cotonti

CVE-2013-4789 HIGH

SQL injection vulnerability in modules/rss/rss.php in Cotonti before 0.9.14 allows remote attackers to execute arbitrary SQL commands via the "c" parameter to index.php.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
cotonti cotonti_siena 0.9.3
cotonti cotonti_siena 0.9.1
cotonti cotonti_siena 0.9.5
cotonti cotonti_siena *
cotonti cotonti_siena 0.9.9
cotonti cotonti_siena 0.9.4
cotonti cotonti_siena 0.9.8
cotonti cotonti_siena 0.9.0
cotonti cotonti_siena 0.9.10
cotonti cotonti_siena 0.9.11
cotonti cotonti_siena 0.9.2
cotonti cotonti_siena 0.9.12
cotonti cotonti_siena 0.9.7
cotonti cotonti_siena 0.9.6
CVE-2021-47808

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 3.9 2.7

Products Affected

Vendor Product Version
cotonti cotonti_siena 0.9.19
CVE-2022-39839

Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a forum post.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
cotonti cotonti_siena 0.9.20
CVE-2022-39840

Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a direct message (DM).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
cotonti cotonti_siena 0.9.20
CVE-2024-24115

A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.

Products Affected

Vendor Product Version
cotonti cotonti_siena 0.9.24
cotonti siena 0.9.24
CVE-2025-44115

A vulnerability has been found in Cotonti Siena v0.9.25. Affected by this vulnerability is the file /admin.php?m=config&n=edit&o=core&p=title. The manipulation of the value of title leads to cross-site scripting.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
cotonti cotonti_siena 0.9.25