Phpmywind Security Vulnerabilities
PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php.
6.1CVSS
5.9AI Score
0.001EPSS
PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php.
6.1CVSS
5.9AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.001EPSS
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field.
7.2CVSS
7.3AI Score
0.001EPSS
admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter.
7.2CVSS
7.3AI Score
0.001EPSS
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting.
7.2CVSS
7.3AI Score
0.001EPSS
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field.
7.2CVSS
7.2AI Score
0.001EPSS
6.1CVSS
6.2AI Score
0.001EPSS
4.8CVSS
5.1AI Score
0.001EPSS
An issue was discovered in PHPMyWind 5.5. The GetQQ function in include/func.class.php allows XSS via the cfg_qqcode parameter. This can be exploited via CSRF.
6.1CVSS
5.9AI Score
0.001EPSS
An issue was discovered in PHPMyWind 5.5. It allows remote attackers to delete arbitrary folders via an admin/database_backup.php?action=import&dopost=deldir&tbname=../ URI.
4.9CVSS
5.3AI Score
0.001EPSS
An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php.
6.1CVSS
5.9AI Score
0.001EPSS
An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability.
6.1CVSS
6AI Score
0.001EPSS
4.8CVSS
4.9AI Score
0.001EPSS
Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php".
4.8CVSS
5.3AI Score
0.001EPSS
Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_switchshow" of component " /admin/web_config.php".
4.8CVSS
5.4AI Score
0.001EPSS
Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'.
7.2CVSS
7.5AI Score
0.002EPSS
Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'.
7.2CVSS
7.4AI Score
0.008EPSS
A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication.
6.5CVSS
6.4AI Score
0.001EPSS
SQL injection vulnerability found in PHPMyWind v.5.6 allows a remote attacker to gain privileges via the delete function of the administrator management page.
8.8CVSS
8.9AI Score
0.001EPSS
SQL injection vulnerability in gaozhifeng PHPMyWind v.5.6 allows a remote attacker to execute arbitrary code via the id variable in the modify function.
7.2CVSS
7.4AI Score
0.001EPSS
PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file.
7.2CVSS
7.1AI Score
0.005EPSS