MKCMS V5.0 has SQL injection via the bplay.php play parameter.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mkcms_project | mkcms | 5.0 |
MKCMS V5.0 has a CSRF vulnerability to add a new admin user via the ucenter/userinfo.php URI.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mkcms_project | mkcms | 5.0 |
MKCMS 5.0 allows remote attackers to take over arbitrary user accounts by posting a username and e-mail address to ucenter/repass.php, which triggers e-mail transmission with the password, as demonstrated by 123456.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mkcms_project | mkcms | 5.0 |
MKCMS V6.2 has SQL injection via /ucenter/reg.php name parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mkcms_project | mkcms | 6.2 |
MKCMS V6.2 has SQL injection via the /ucenter/active.php verify parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mkcms_project | mkcms | 6.2 |
MKCMS V6.2 has SQL injection via the /ucenter/repass.php name parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mkcms_project | mkcms | 6.2 |