global.encryptPassword in bootstrap/global.js in CMSWing 1.3.7 relies on multiple MD5 operations for password hashing.
7.5CVSS
7.6AI Score
0.004EPSS
An issue was found in CMSWing project version 1.3.8. Because the log function does not check the log parameter, malicious parameters can execute arbitrary commands.
9.8CVSS
9.6AI Score
0.004EPSS
An issue was found in CMSWing project version 1.3.8. Because the updateAction function does not check the detail parameter, malicious parameters can execute arbitrary SQL commands.
9.8CVSS
9.8AI Score
0.004EPSS
An issue was found in CMSWing project version 1.3.8, Because the rechargeAction function does not check the balance parameter, malicious parameters can execute arbitrary SQL commands.
9.8CVSS
9.8AI Score
0.004EPSS
There is a cross site scripting vulnerability on CmsWing 1.3.7. This vulnerability (stored XSS) is triggered when an administrator accesses the content management module.
5.4CVSS
5.3AI Score
0.001EPSS
There is a cross site scripting vulnerability on CmsWing 1.3.7. This vulnerability (stored XSS) is triggered when visitors access the article module.
5.4CVSS
5.3AI Score
0.001EPSS
9.8CVSS
9.4AI Score
0.002EPSS
CmsWing CMS 1.3.7 is affected by a Remote Code Execution (RCE) vulnerability via parameter: log rule
9.8CVSS
9.7AI Score
0.006EPSS