An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the Author field of the "Leave a Comment" screen.
6.1CVSS
5.9AI Score
0.001EPSS
An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the site name in the "Categories" menu.
4.8CVSS
4.8AI Score
0.001EPSS
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
6.1CVSS
5.9AI Score
0.001EPSS
A SQL injection vulnerability exists in Victor CMS V1.0 in the cat_id parameter of the category.php file. This parameter can be used by sqlmap to obtain data information in the database.
7.5CVSS
7.5AI Score
0.002EPSS
SQL Injection vulnerability in victor cms 1.0 allows attackers to execute arbitrary commands via the post parameter to /post.php in a crafted GET request.
9.8CVSS
9.8AI Score
0.001EPSS
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
9.8CVSS
9.7AI Score
0.039EPSS
Victor CMS 1.0 is vulnerable to SQL injection via c_id parameter of admin_edit_comment.php, p_id parameter of admin_edit_post.php, u_id parameter of admin_edit_user.php, and edit parameter of admin_update_categories.php.
8.8CVSS
9AI Score
0.018EPSS
Arbitrary file upload vulnerability in Victor CMS v 1.0 allows attackers to execute arbitrary code via the file upload to \CMSsite-master\admin\includes\admin_add_post.php.
9.8CVSS
9.7AI Score
0.008EPSS
Victor CMS v1.0 was discovered to contain a SQL injection vulnerability in the component admin/posts.php?source=add_post. This vulnerability can be exploited through a crafted POST request via the post_title parameter.
7.5CVSS
7.6AI Score
0.002EPSS
Victor CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the component admin/users.php?source=add_user. These vulnerabilities can be exploited through a crafted POST request via the user_name, user_firstname,user_lastname, or user_email parameters.
7.5CVSS
7.9AI Score
0.002EPSS
Victor CMS v1.0 was discovered to contain a SQL injection vulnerability that allows attackers to inject arbitrary commands via 'user_firstname' parameter.
8.8CVSS
9AI Score
0.001EPSS
9.8CVSS
9.8AI Score
0.002EPSS
Victor v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component admin/profile.php?section=admin.
8.8CVSS
9.1AI Score
0.004EPSS
SQL Injection vulnerability in Victor CMS v1.0, via the user_name parameter to /includes/login.php.
7.5CVSS
7.9AI Score
0.002EPSS