MidnightBSD

Advisories for mkcms_project

CVE-2019-10707 HIGH

MKCMS V5.0 has SQL injection via the bplay.php play parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mkcms_project mkcms 5.0
CVE-2019-11078 MEDIUM

MKCMS V5.0 has a CSRF vulnerability to add a new admin user via the ucenter/userinfo.php URI.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
mkcms_project mkcms 5.0
CVE-2019-11332 MEDIUM

MKCMS 5.0 allows remote attackers to take over arbitrary user accounts by posting a username and e-mail address to ucenter/repass.php, which triggers e-mail transmission with the password, as demonstrated by 123456.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mkcms_project mkcms 5.0
CVE-2020-22818

MKCMS V6.2 has SQL injection via /ucenter/reg.php name parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mkcms_project mkcms 6.2
CVE-2020-22819

MKCMS V6.2 has SQL injection via the /ucenter/active.php verify parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mkcms_project mkcms 6.2
CVE-2020-22820

MKCMS V6.2 has SQL injection via the /ucenter/repass.php name parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mkcms_project mkcms 6.2