MidnightBSD

Advisories for hoosk

CVE-2018-16771 HIGH

Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
hoosk hoosk 1.7.0
CVE-2018-16772 LOW

Hoosk v1.7.0 allows XSS via the Navigation Title of a new page entered at admin/pages/new.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hoosk hoosk 1.7.0
CVE-2018-7590 MEDIUM

CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in account creation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
hoosk hoosk 1.7.0
CVE-2020-16610 MEDIUM

Hoosk Codeigniter CMS before 1.7.2 is affected by a Cross Site Request Forgery (CSRF). When an attacker induces authenticated admin user to a malicious web page, any accounts can be deleted without admin user's intention.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
hoosk hoosk *
CVE-2020-26041 HIGH

An issue was discovered in Hoosk CmS v1.8.0. There is an Remote Code Execution vulnerability in install/index.php

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hoosk hoosk 1.8.0
CVE-2020-26042 HIGH

An issue was discovered in Hoosk CMS v1.8.0. There is a SQL injection vulnerability in install/index.php

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
hoosk hoosk 1.8.0
CVE-2020-26043 MEDIUM

An issue was discovered in Hoosk CMS v1.8.0. There is a XSS vulnerability in install/index.php

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hoosk hoosk 1.8.0
CVE-2021-43478 MEDIUM

A vulnerability exists in Hoosk 1.8.0 in /install/index.php, due to a failure to check if config.php already exists in the root directory, which could let a malicious user reinstall the website.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L 2.8 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hoosk hoosk 1.8.0
CVE-2022-28586 MEDIUM

XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hoosk hoosk 1.8.0
CVE-2022-43234

An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file.

Products Affected

Vendor Product Version
hoosk hoosk 1.8.0