Search criteria
7 vulnerabilities by duxcms_project
CVE-2020-21881 (GCVE-0-2020-21881)
Vulnerability from cvelistv5 – Published: 2023-07-31 00:00 – Updated: 2024-10-22 19:36
VLAI?
Summary
Cross Site Request Forgery (CSRF) vulnerability in admin.php in DuxCMS 2.1 allows remote attackers to modtify application data via article/admin/content/add.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:30:33.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I183GG"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-21881",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T19:36:16.137855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T19:36:32.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery (CSRF) vulnerability in admin.php in DuxCMS 2.1 allows remote attackers to modtify application data via article/admin/content/add."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-31T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I183GG"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-21881",
"datePublished": "2023-07-31T00:00:00",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-10-22T19:36:32.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36763 (GCVE-0-2020-36763)
Vulnerability from cvelistv5 – Published: 2023-07-31 00:00 – Updated: 2024-10-22 18:53
VLAI?
Summary
Cross Site Scripting (XSS) vulnerability in DuxCMS 2.1 allows remote attackers to run arbitrary code via the content, time, copyfrom parameters when adding or editing a post.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:37:06.970Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I183GG"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-36763",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T18:52:57.356481Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T18:53:06.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) vulnerability in DuxCMS 2.1 allows remote attackers to run arbitrary code via the content, time, copyfrom parameters when adding or editing a post."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-31T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I183GG"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36763",
"datePublished": "2023-07-31T00:00:00",
"dateReserved": "2023-07-27T00:00:00",
"dateUpdated": "2024-10-22T18:53:06.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-21861 (GCVE-0-2020-21861)
Vulnerability from cvelistv5 – Published: 2023-07-06 00:00 – Updated: 2024-11-21 14:49
VLAI?
Summary
File upload vulnerability in DuxCMS 2.1 allows attackers to execute arbitrary php code via duxcms/AdminUpload/upload.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:30:33.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I182Y4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-21861",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T14:49:43.123179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:49:56.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "File upload vulnerability in DuxCMS 2.1 allows attackers to execute arbitrary php code via duxcms/AdminUpload/upload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I182Y4"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-21861",
"datePublished": "2023-07-06T00:00:00",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-11-21T14:49:56.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-21862 (GCVE-0-2020-21862)
Vulnerability from cvelistv5 – Published: 2023-07-06 00:00 – Updated: 2024-11-21 14:14
VLAI?
Summary
Directory traversal vulnerability in DuxCMS 2.1 allows attackers to delete arbitrary files via /admin/AdminBackup/del.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:30:33.637Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I182Z5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-21862",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T14:14:17.653498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:14:27.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in DuxCMS 2.1 allows attackers to delete arbitrary files via /admin/AdminBackup/del."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I182Z5"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-21862",
"datePublished": "2023-07-06T00:00:00",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-11-21T14:14:27.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36609 (GCVE-0-2020-36609)
Vulnerability from cvelistv5 – Published: 2022-12-08 00:00 – Updated: 2025-04-15 13:08
VLAI?
Summary
A vulnerability was found in annyshow DuxCMS 2.1. It has been classified as problematic. This affects an unknown part of the file admin.php&r=article/AdminContent/edit of the component Article Handler. The manipulation of the argument content leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215115.
Severity ?
CWE
- CWE-707 - Improper Neutralization -> CWE-74 Injection -> CWE-79 Cross Site Scripting
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:30:08.308Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I183GG"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.215115"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-36609",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T16:55:32.858925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:08:01.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DuxCMS",
"vendor": "annyshow",
"versions": [
{
"status": "affected",
"version": "2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in annyshow DuxCMS 2.1. It has been classified as problematic. This affects an unknown part of the file admin.php\u0026r=article/AdminContent/edit of the component Article Handler. The manipulation of the argument content leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215115."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-707",
"description": "CWE-707 Improper Neutralization -\u003e CWE-74 Injection -\u003e CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-08T00:00:00.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I183GG"
},
{
"url": "https://vuldb.com/?id.215115"
}
],
"title": "annyshow DuxCMS Article edit cross site scripting",
"x_generator": "vuldb.com"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2020-36609",
"datePublished": "2022-12-08T00:00:00.000Z",
"dateReserved": "2022-12-08T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:08:01.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36610 (GCVE-0-2020-36610)
Vulnerability from cvelistv5 – Published: 2022-12-08 00:00 – Updated: 2025-04-15 13:07
VLAI?
Summary
A vulnerability was found in annyshow DuxCMS 2.1. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215116.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization -> CWE-862 Missing Authorization -> CWE-352 Cross-Site Request Forgery
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:30:08.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I183GG"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.215116"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-36610",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T16:55:29.616233Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:07:52.006Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DuxCMS",
"vendor": "annyshow",
"versions": [
{
"status": "affected",
"version": "2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in annyshow DuxCMS 2.1. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215116."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization -\u003e CWE-862 Missing Authorization -\u003e CWE-352 Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-08T00:00:00.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"url": "https://gitee.com/annyshow/DuxCMS2.1/issues/I183GG"
},
{
"url": "https://vuldb.com/?id.215116"
}
],
"title": "annyshow DuxCMS cross-site request forgery",
"x_generator": "vuldb.com"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2020-36610",
"datePublished": "2022-12-08T00:00:00.000Z",
"dateReserved": "2022-12-08T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:07:52.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3242 (GCVE-0-2021-3242)
Vulnerability from cvelistv5 – Published: 2022-02-16 19:29 – Updated: 2024-08-03 16:53
VLAI?
Summary
DuxCMS v3.1.3 was discovered to contain a SQL injection vulnerability via the component s/tools/SendTpl/index?keyword=.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:53:17.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.star123.top/2021/01/16/duxcms3-1-3%E5%AE%A1%E8%AE%A1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/duxphp/DuxCMS3/issues/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DuxCMS v3.1.3 was discovered to contain a SQL injection vulnerability via the component s/tools/SendTpl/index?keyword=."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-16T19:29:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.star123.top/2021/01/16/duxcms3-1-3%E5%AE%A1%E8%AE%A1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duxphp/DuxCMS3/issues/4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-3242",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "DuxCMS v3.1.3 was discovered to contain a SQL injection vulnerability via the component s/tools/SendTpl/index?keyword=."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.star123.top/2021/01/16/duxcms3-1-3%E5%AE%A1%E8%AE%A1/",
"refsource": "MISC",
"url": "https://www.star123.top/2021/01/16/duxcms3-1-3%E5%AE%A1%E8%AE%A1/"
},
{
"name": "https://github.com/duxphp/DuxCMS3/issues/4",
"refsource": "MISC",
"url": "https://github.com/duxphp/DuxCMS3/issues/4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-3242",
"datePublished": "2022-02-16T19:29:38",
"dateReserved": "2021-01-22T00:00:00",
"dateUpdated": "2024-08-03T16:53:17.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}