Search

Find a vulnerability

Search criteria

    20 vulnerabilities found for 07flycms by 07fly

    CVE-2025-7078 (GCVE-0-2025-7078)

    Vulnerability from nvd – Published: 2025-07-06 08:32 – Updated: 2025-07-07 16:21
    VLAI
    Title
    07FLYCMS/07FLY-CMS/07FlyCRM cross-site request forgery
    Summary
    A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery
    • CWE-862 - Missing Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a 07FLYCMS Affected: 1.3.0
    Affected: 1.3.1
    Affected: 1.3.2
    Affected: 1.3.3
    Affected: 1.3.4
    Affected: 1.3.5
    Affected: 1.3.6
    Affected: 1.3.7
    Affected: 1.3.8
    Affected: 1.3.9
    n/a 07FLY-CMS Affected: 1.3.0
    Affected: 1.3.1
    Affected: 1.3.2
    Affected: 1.3.3
    Affected: 1.3.4
    Affected: 1.3.5
    Affected: 1.3.6
    Affected: 1.3.7
    Affected: 1.3.8
    Affected: 1.3.9
    n/a 07FlyCRM Affected: 1.3.0
    Affected: 1.3.1
    Affected: 1.3.2
    Affected: 1.3.3
    Affected: 1.3.4
    Affected: 1.3.5
    Affected: 1.3.6
    Affected: 1.3.7
    Affected: 1.3.8
    Affected: 1.3.9
    Credits
    Excent1c (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7078",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-07T16:21:17.941410Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-07T16:21:20.599Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/Excentique/yuxuan_mei/blob/main/07fly-crm_1.md"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "07FLYCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.0"
                },
                {
                  "status": "affected",
                  "version": "1.3.1"
                },
                {
                  "status": "affected",
                  "version": "1.3.2"
                },
                {
                  "status": "affected",
                  "version": "1.3.3"
                },
                {
                  "status": "affected",
                  "version": "1.3.4"
                },
                {
                  "status": "affected",
                  "version": "1.3.5"
                },
                {
                  "status": "affected",
                  "version": "1.3.6"
                },
                {
                  "status": "affected",
                  "version": "1.3.7"
                },
                {
                  "status": "affected",
                  "version": "1.3.8"
                },
                {
                  "status": "affected",
                  "version": "1.3.9"
                }
              ]
            },
            {
              "product": "07FLY-CMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.0"
                },
                {
                  "status": "affected",
                  "version": "1.3.1"
                },
                {
                  "status": "affected",
                  "version": "1.3.2"
                },
                {
                  "status": "affected",
                  "version": "1.3.3"
                },
                {
                  "status": "affected",
                  "version": "1.3.4"
                },
                {
                  "status": "affected",
                  "version": "1.3.5"
                },
                {
                  "status": "affected",
                  "version": "1.3.6"
                },
                {
                  "status": "affected",
                  "version": "1.3.7"
                },
                {
                  "status": "affected",
                  "version": "1.3.8"
                },
                {
                  "status": "affected",
                  "version": "1.3.9"
                }
              ]
            },
            {
              "product": "07FlyCRM",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.0"
                },
                {
                  "status": "affected",
                  "version": "1.3.1"
                },
                {
                  "status": "affected",
                  "version": "1.3.2"
                },
                {
                  "status": "affected",
                  "version": "1.3.3"
                },
                {
                  "status": "affected",
                  "version": "1.3.4"
                },
                {
                  "status": "affected",
                  "version": "1.3.5"
                },
                {
                  "status": "affected",
                  "version": "1.3.6"
                },
                {
                  "status": "affected",
                  "version": "1.3.7"
                },
                {
                  "status": "affected",
                  "version": "1.3.8"
                },
                {
                  "status": "affected",
                  "version": "1.3.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Excent1c (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "In 07FLYCMS, 07FLY-CMS and 07FlyCRM bis 1.3.9 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung. Durch das Manipulieren mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-06T08:32:05.396Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-314992 | 07FLYCMS/07FLY-CMS/07FlyCRM cross-site request forgery",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/?id.314992"
            },
            {
              "name": "VDB-314992 | CTI Indicators (IOB, IOC)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.314992"
            },
            {
              "name": "Submit #603552 | 07FLYCMS https://github.com/lingqifei/07fly-crm V1.3.9 CSRF",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.603552"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/Excentique/yuxuan_mei/blob/main/07fly-crm_1.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-07-05T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-07-05T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-07-05T14:39:34.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "07FLYCMS/07FLY-CMS/07FlyCRM cross-site request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-7078",
        "datePublished": "2025-07-06T08:32:05.396Z",
        "dateReserved": "2025-07-05T12:34:26.238Z",
        "dateUpdated": "2025-07-07T16:21:20.599Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25379 (GCVE-0-2025-25379)

    Vulnerability from nvd – Published: 2025-02-28 00:00 – Updated: 2025-03-04 15:44
    VLAI
    Summary
    Cross Site Request Forgery vulnerability in 07FLYCMS v.1.3.9 allows a remote attacker to execute arbitrary code via the id parameter of the del.html component.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.6,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25379",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-04T15:43:18.196108Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-04T15:44:16.900Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/R2og/Sun-jialiang/tree/main/9/readme.md"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross Site Request Forgery vulnerability in 07FLYCMS v.1.3.9 allows a remote attacker to execute arbitrary code via the id parameter of the del.html component."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-28T22:26:17.682Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/R2og/Sun-jialiang/tree/main/9/readme.md"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-25379",
        "datePublished": "2025-02-28T00:00:00.000Z",
        "dateReserved": "2025-02-07T00:00:00.000Z",
        "dateUpdated": "2025-03-04T15:44:16.900Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-57611 (GCVE-0-2024-57611)

    Vulnerability from nvd – Published: 2025-01-16 00:00 – Updated: 2025-02-03 18:51
    VLAI
    Summary
    07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/doAdminAction.php?act=editShop&shopId.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.5,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-57611",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T17:10:41.032086Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T18:51:11.248Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/doAdminAction.php?act=editShop\u0026shopId."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-16T16:04:46.489Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/daodaoshao/Yunpeng-Yin/tree/main/7/readme.md"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-57611",
        "datePublished": "2025-01-16T00:00:00.000Z",
        "dateReserved": "2025-01-09T00:00:00.000Z",
        "dateUpdated": "2025-02-03T18:51:11.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-57159 (GCVE-0-2024-57159)

    Vulnerability from nvd – Published: 2025-01-16 00:00 – Updated: 2025-03-13 13:40
    VLAI
    Summary
    07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaWorkReport/add.html.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.5,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-57159",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T17:09:31.059552Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-13T13:40:20.708Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaWorkReport/add.html."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-16T16:08:49.758Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/1091101/yang.xian/tree/main/6/readme.md"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-57159",
        "datePublished": "2025-01-16T00:00:00.000Z",
        "dateReserved": "2025-01-09T00:00:00.000Z",
        "dateUpdated": "2025-03-13T13:40:20.708Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51156 (GCVE-0-2024-51156)

    Vulnerability from nvd – Published: 2024-11-14 00:00 – Updated: 2024-11-18 18:10
    VLAI
    Summary
    07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component 'erp.07fly.net:80/admin/SysNotifyUser/del.html?id=93'.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51156",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-18T18:10:05.491443Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-18T18:10:08.440Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component \u0027erp.07fly.net:80/admin/SysNotifyUser/del.html?id=93\u0027."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-14T21:20:02.706Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/SamParkerXd/cms/tree/main/1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-51156",
        "datePublished": "2024-11-14T00:00:00.000Z",
        "dateReserved": "2024-10-28T00:00:00.000Z",
        "dateUpdated": "2024-11-18T18:10:08.440Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51157 (GCVE-0-2024-51157)

    Vulnerability from nvd – Published: 2024-11-08 00:00 – Updated: 2024-11-18 14:13
    VLAI
    Summary
    07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component http://erp.07fly.net:80/oa/OaSchedule/add.html.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    zero_takeoff 07flycms Affected: 1.3.9
        cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07flycms",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.3.9"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51157",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-18T14:08:53.550546Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-18T14:13:04.340Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component http://erp.07fly.net:80/oa/OaSchedule/add.html."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-08T21:06:36.727Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/xiaoyunzhui/cms/blob/main/2/readme.md"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-51157",
        "datePublished": "2024-11-08T00:00:00.000Z",
        "dateReserved": "2024-10-28T00:00:00.000Z",
        "dateUpdated": "2024-11-18T14:13:04.340Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-9904 (GCVE-0-2024-9904)

    Vulnerability from nvd – Published: 2024-10-13 01:31 – Updated: 2024-10-15 14:28
    VLAI
    Title
    07FLYCMS/07FLY-CMS/07FlyCRM pictureUpload unrestricted upload
    Summary
    A vulnerability classified as critical was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This vulnerability affects the function pictureUpload of the file /admin/File/pictureUpload. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.280180 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.280180 signaturepermissions-required
    https://vuldb.com/?submit.421686 third-party-advisory
    https://github.com/DeepMountains/Mirage/blob/main… exploit
    Impacted products
    Vendor Product Version
    n/a 07FLYCMS Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    n/a 07FLY-CMS Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    n/a 07FlyCRM Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    zero_takeoff 07flycms Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zero_takeoff 07fly-cms Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07fly-cms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zero_takeoff 07flycrm Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07flycrm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dee.Mirage (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07flycms",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07fly-cms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07fly-cms",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07flycrm:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07flycrm",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9904",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T14:23:51.694631Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T14:28:47.424Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "07FLYCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            },
            {
              "product": "07FLY-CMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            },
            {
              "product": "07FlyCRM",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dee.Mirage (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability classified as critical was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This vulnerability affects the function pictureUpload of the file /admin/File/pictureUpload. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address."
            },
            {
              "lang": "de",
              "value": "In 07FLYCMS, 07FLY-CMS and 07FlyCRM bis 1.2.0 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Es geht um die Funktion pictureUpload der Datei /admin/File/pictureUpload. Durch Beeinflussen des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.8,
                "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-13T01:31:04.358Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-280180 | 07FLYCMS/07FLY-CMS/07FlyCRM pictureUpload unrestricted upload",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.280180"
            },
            {
              "name": "VDB-280180 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.280180"
            },
            {
              "name": "Submit #421686 | 07fly crm S1 FileUpload",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.421686"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DeepMountains/Mirage/blob/main/CVE19-2.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2024-10-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-10-12T08:31:35.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "07FLYCMS/07FLY-CMS/07FlyCRM pictureUpload unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2024-9904",
        "datePublished": "2024-10-13T01:31:04.358Z",
        "dateReserved": "2024-10-12T06:25:13.837Z",
        "dateUpdated": "2024-10-15T14:28:47.424Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-9903 (GCVE-0-2024-9903)

    Vulnerability from nvd – Published: 2024-10-12 23:00 – Updated: 2024-10-15 14:38
    VLAI
    Title
    07FLYCMS/07FLY-CMS/07FlyCRM fileUpload unrestricted upload
    Summary
    A vulnerability classified as critical has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This affects the function fileUpload of the file /admin/File/fileUpload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.280179 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.280179 signaturepermissions-required
    https://vuldb.com/?submit.421685 third-party-advisory
    https://github.com/DeepMountains/Mirage/blob/main… exploit
    Impacted products
    Vendor Product Version
    n/a 07FLYCMS Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    n/a 07FLY-CMS Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    n/a 07FlyCRM Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    zero_takeoff 07flycms Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zero_takeoff 07fly-cms Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07fly-cms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zero_takeoff 07flycrm Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07flycrm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dee.Mirage (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07flycms",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07fly-cms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07fly-cms",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07flycrm:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07flycrm",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9903",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T14:32:57.706988Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T14:38:20.692Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "07FLYCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            },
            {
              "product": "07FLY-CMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            },
            {
              "product": "07FlyCRM",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dee.Mirage (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability classified as critical has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This affects the function fileUpload of the file /admin/File/fileUpload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address."
            },
            {
              "lang": "de",
              "value": "Es wurde eine Schwachstelle in 07FLYCMS, 07FLY-CMS and 07FlyCRM bis 1.2.0 entdeckt. Sie wurde als kritisch eingestuft. Betroffen hiervon ist die Funktion fileUpload der Datei /admin/File/fileUpload. Durch das Beeinflussen des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.8,
                "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-12T23:00:06.275Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-280179 | 07FLYCMS/07FLY-CMS/07FlyCRM fileUpload unrestricted upload",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.280179"
            },
            {
              "name": "VDB-280179 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.280179"
            },
            {
              "name": "Submit #421685 | 07fly crm S1 FileUpload",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.421685"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DeepMountains/Mirage/blob/main/CVE19-1.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2024-10-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-10-12T08:31:13.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "07FLYCMS/07FLY-CMS/07FlyCRM fileUpload unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2024-9903",
        "datePublished": "2024-10-12T23:00:06.275Z",
        "dateReserved": "2024-10-12T06:25:11.177Z",
        "dateUpdated": "2024-10-15T14:38:20.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-9856 (GCVE-0-2024-9856)

    Vulnerability from nvd – Published: 2024-10-11 12:31 – Updated: 2024-10-11 14:13
    VLAI
    Title
    07FLYCMS/07FLY-CMS/07FlyCRM System Settings Page cross site scripting
    Summary
    A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8. It has been rated as problematic. Affected by this issue is some unknown functionality of the component System Settings Page. The manipulation of the argument Login Interface Copyright leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross Site Scripting
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.280052 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.280052 signaturepermissions-required
    https://vuldb.com/?submit.419223 third-party-advisory
    https://github.com/DeepMountains/zzz/blob/main/CV… exploit
    Impacted products
    Vendor Product Version
    n/a 07FLYCMS Affected: 1.3.8
    n/a 07FLY-CMS Affected: 1.3.8
    n/a 07FlyCRM Affected: 1.3.8
    07fly 07fly-cms Affected: 1.3.8
        cpe:2.3:a:07fly:07fly-cms:1.3.8:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    chenzijie0619 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:07fly:07fly-cms:1.3.8:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07fly-cms",
                "vendor": "07fly",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.3.8"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9856",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-11T14:07:41.807371Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-11T14:13:23.820Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "System Settings Page"
              ],
              "product": "07FLYCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            },
            {
              "modules": [
                "System Settings Page"
              ],
              "product": "07FLY-CMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            },
            {
              "modules": [
                "System Settings Page"
              ],
              "product": "07FlyCRM",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "chenzijie0619 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8. It has been rated as problematic. Affected by this issue is some unknown functionality of the component System Settings Page. The manipulation of the argument Login Interface Copyright leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address."
            },
            {
              "lang": "de",
              "value": "Eine problematische Schwachstelle wurde in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8 ausgemacht. Dies betrifft einen unbekannten Teil der Komponente System Settings Page. Durch die Manipulation des Arguments Login Interface Copyright mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 3.3,
                "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-11T12:31:06.506Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-280052 | 07FLYCMS/07FLY-CMS/07FlyCRM System Settings Page cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.280052"
            },
            {
              "name": "VDB-280052 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.280052"
            },
            {
              "name": "Submit #419223 | \u96f6\u8d77\u98de 07FlyCms 1.3.8 XSS",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.419223"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DeepMountains/zzz/blob/main/CVE6-2.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-11T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2024-10-11T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-10-11T08:40:40.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "07FLYCMS/07FLY-CMS/07FlyCRM System Settings Page cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2024-9856",
        "datePublished": "2024-10-11T12:31:06.506Z",
        "dateReserved": "2024-10-11T06:35:16.905Z",
        "dateUpdated": "2024-10-11T14:13:23.820Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-9855 (GCVE-0-2024-9855)

    Vulnerability from nvd – Published: 2024-10-11 12:31 – Updated: 2024-10-11 14:14
    VLAI
    Title
    07FLYCMS/07FLY-CMS/07FlyCRM Module Plug-In sysmodule_1 uploadFile unrestricted upload
    Summary
    A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadFile of the file /admin/SysModule/upload/ajaxmodel/upload/uploadfilepath/sysmodule_1 of the component Module Plug-In Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.280051 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.280051 signaturepermissions-required
    https://vuldb.com/?submit.419222 third-party-advisory
    https://github.com/DeepMountains/zzz/blob/main/CV… exploit
    Impacted products
    Vendor Product Version
    n/a 07FLYCMS Affected: 1.3.8
    n/a 07FLY-CMS Affected: 1.3.8
    n/a 07FlyCRM Affected: 1.3.8
    07fly 07fly-cms Affected: 1.3.8
        cpe:2.3:a:07fly:07fly-cms:1.3.8:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    chenzijie0619 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:07fly:07fly-cms:1.3.8:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07fly-cms",
                "vendor": "07fly",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.3.8"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9855",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-11T14:13:46.899418Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-11T14:14:30.450Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Module Plug-In Handler"
              ],
              "product": "07FLYCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            },
            {
              "modules": [
                "Module Plug-In Handler"
              ],
              "product": "07FLY-CMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            },
            {
              "modules": [
                "Module Plug-In Handler"
              ],
              "product": "07FlyCRM",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "chenzijie0619 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadFile of the file /admin/SysModule/upload/ajaxmodel/upload/uploadfilepath/sysmodule_1 of the component Module Plug-In Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address."
            },
            {
              "lang": "de",
              "value": "In 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8 wurde eine kritische Schwachstelle ausgemacht. Das betrifft die Funktion uploadFile der Datei /admin/SysModule/upload/ajaxmodel/upload/uploadfilepath/sysmodule_1 der Komponente Module Plug-In Handler. Mit der Manipulation des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.8,
                "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-11T12:31:04.986Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-280051 | 07FLYCMS/07FLY-CMS/07FlyCRM Module Plug-In sysmodule_1 uploadFile unrestricted upload",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.280051"
            },
            {
              "name": "VDB-280051 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.280051"
            },
            {
              "name": "Submit #419222 | \u96f6\u8d77\u98de 07FlyCms 1.3.8 FileUpload",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.419222"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DeepMountains/zzz/blob/main/CVE6-1.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-11T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2024-10-11T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-10-11T08:40:33.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "07FLYCMS/07FLY-CMS/07FlyCRM Module Plug-In sysmodule_1 uploadFile unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2024-9855",
        "datePublished": "2024-10-11T12:31:04.986Z",
        "dateReserved": "2024-10-11T06:35:14.410Z",
        "dateUpdated": "2024-10-11T14:14:30.450Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-7078 (GCVE-0-2025-7078)

    Vulnerability from cvelistv5 – Published: 2025-07-06 08:32 – Updated: 2025-07-07 16:21
    VLAI
    Title
    07FLYCMS/07FLY-CMS/07FlyCRM cross-site request forgery
    Summary
    A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery
    • CWE-862 - Missing Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a 07FLYCMS Affected: 1.3.0
    Affected: 1.3.1
    Affected: 1.3.2
    Affected: 1.3.3
    Affected: 1.3.4
    Affected: 1.3.5
    Affected: 1.3.6
    Affected: 1.3.7
    Affected: 1.3.8
    Affected: 1.3.9
    n/a 07FLY-CMS Affected: 1.3.0
    Affected: 1.3.1
    Affected: 1.3.2
    Affected: 1.3.3
    Affected: 1.3.4
    Affected: 1.3.5
    Affected: 1.3.6
    Affected: 1.3.7
    Affected: 1.3.8
    Affected: 1.3.9
    n/a 07FlyCRM Affected: 1.3.0
    Affected: 1.3.1
    Affected: 1.3.2
    Affected: 1.3.3
    Affected: 1.3.4
    Affected: 1.3.5
    Affected: 1.3.6
    Affected: 1.3.7
    Affected: 1.3.8
    Affected: 1.3.9
    Credits
    Excent1c (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7078",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-07T16:21:17.941410Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-07T16:21:20.599Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/Excentique/yuxuan_mei/blob/main/07fly-crm_1.md"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "07FLYCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.0"
                },
                {
                  "status": "affected",
                  "version": "1.3.1"
                },
                {
                  "status": "affected",
                  "version": "1.3.2"
                },
                {
                  "status": "affected",
                  "version": "1.3.3"
                },
                {
                  "status": "affected",
                  "version": "1.3.4"
                },
                {
                  "status": "affected",
                  "version": "1.3.5"
                },
                {
                  "status": "affected",
                  "version": "1.3.6"
                },
                {
                  "status": "affected",
                  "version": "1.3.7"
                },
                {
                  "status": "affected",
                  "version": "1.3.8"
                },
                {
                  "status": "affected",
                  "version": "1.3.9"
                }
              ]
            },
            {
              "product": "07FLY-CMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.0"
                },
                {
                  "status": "affected",
                  "version": "1.3.1"
                },
                {
                  "status": "affected",
                  "version": "1.3.2"
                },
                {
                  "status": "affected",
                  "version": "1.3.3"
                },
                {
                  "status": "affected",
                  "version": "1.3.4"
                },
                {
                  "status": "affected",
                  "version": "1.3.5"
                },
                {
                  "status": "affected",
                  "version": "1.3.6"
                },
                {
                  "status": "affected",
                  "version": "1.3.7"
                },
                {
                  "status": "affected",
                  "version": "1.3.8"
                },
                {
                  "status": "affected",
                  "version": "1.3.9"
                }
              ]
            },
            {
              "product": "07FlyCRM",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.0"
                },
                {
                  "status": "affected",
                  "version": "1.3.1"
                },
                {
                  "status": "affected",
                  "version": "1.3.2"
                },
                {
                  "status": "affected",
                  "version": "1.3.3"
                },
                {
                  "status": "affected",
                  "version": "1.3.4"
                },
                {
                  "status": "affected",
                  "version": "1.3.5"
                },
                {
                  "status": "affected",
                  "version": "1.3.6"
                },
                {
                  "status": "affected",
                  "version": "1.3.7"
                },
                {
                  "status": "affected",
                  "version": "1.3.8"
                },
                {
                  "status": "affected",
                  "version": "1.3.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Excent1c (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "In 07FLYCMS, 07FLY-CMS and 07FlyCRM bis 1.3.9 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung. Durch das Manipulieren mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-06T08:32:05.396Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-314992 | 07FLYCMS/07FLY-CMS/07FlyCRM cross-site request forgery",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/?id.314992"
            },
            {
              "name": "VDB-314992 | CTI Indicators (IOB, IOC)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.314992"
            },
            {
              "name": "Submit #603552 | 07FLYCMS https://github.com/lingqifei/07fly-crm V1.3.9 CSRF",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.603552"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/Excentique/yuxuan_mei/blob/main/07fly-crm_1.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-07-05T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-07-05T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-07-05T14:39:34.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "07FLYCMS/07FLY-CMS/07FlyCRM cross-site request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-7078",
        "datePublished": "2025-07-06T08:32:05.396Z",
        "dateReserved": "2025-07-05T12:34:26.238Z",
        "dateUpdated": "2025-07-07T16:21:20.599Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25379 (GCVE-0-2025-25379)

    Vulnerability from cvelistv5 – Published: 2025-02-28 00:00 – Updated: 2025-03-04 15:44
    VLAI
    Summary
    Cross Site Request Forgery vulnerability in 07FLYCMS v.1.3.9 allows a remote attacker to execute arbitrary code via the id parameter of the del.html component.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.6,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25379",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-04T15:43:18.196108Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-04T15:44:16.900Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/R2og/Sun-jialiang/tree/main/9/readme.md"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross Site Request Forgery vulnerability in 07FLYCMS v.1.3.9 allows a remote attacker to execute arbitrary code via the id parameter of the del.html component."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-28T22:26:17.682Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/R2og/Sun-jialiang/tree/main/9/readme.md"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-25379",
        "datePublished": "2025-02-28T00:00:00.000Z",
        "dateReserved": "2025-02-07T00:00:00.000Z",
        "dateUpdated": "2025-03-04T15:44:16.900Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-57611 (GCVE-0-2024-57611)

    Vulnerability from cvelistv5 – Published: 2025-01-16 00:00 – Updated: 2025-02-03 18:51
    VLAI
    Summary
    07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/doAdminAction.php?act=editShop&shopId.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.5,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-57611",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T17:10:41.032086Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T18:51:11.248Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/doAdminAction.php?act=editShop\u0026shopId."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-16T16:04:46.489Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/daodaoshao/Yunpeng-Yin/tree/main/7/readme.md"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-57611",
        "datePublished": "2025-01-16T00:00:00.000Z",
        "dateReserved": "2025-01-09T00:00:00.000Z",
        "dateUpdated": "2025-02-03T18:51:11.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-57159 (GCVE-0-2024-57159)

    Vulnerability from cvelistv5 – Published: 2025-01-16 00:00 – Updated: 2025-03-13 13:40
    VLAI
    Summary
    07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaWorkReport/add.html.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.5,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-57159",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T17:09:31.059552Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-13T13:40:20.708Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaWorkReport/add.html."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-16T16:08:49.758Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/1091101/yang.xian/tree/main/6/readme.md"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-57159",
        "datePublished": "2025-01-16T00:00:00.000Z",
        "dateReserved": "2025-01-09T00:00:00.000Z",
        "dateUpdated": "2025-03-13T13:40:20.708Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51156 (GCVE-0-2024-51156)

    Vulnerability from cvelistv5 – Published: 2024-11-14 00:00 – Updated: 2024-11-18 18:10
    VLAI
    Summary
    07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component 'erp.07fly.net:80/admin/SysNotifyUser/del.html?id=93'.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51156",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-18T18:10:05.491443Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-18T18:10:08.440Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component \u0027erp.07fly.net:80/admin/SysNotifyUser/del.html?id=93\u0027."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-14T21:20:02.706Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/SamParkerXd/cms/tree/main/1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-51156",
        "datePublished": "2024-11-14T00:00:00.000Z",
        "dateReserved": "2024-10-28T00:00:00.000Z",
        "dateUpdated": "2024-11-18T18:10:08.440Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51157 (GCVE-0-2024-51157)

    Vulnerability from cvelistv5 – Published: 2024-11-08 00:00 – Updated: 2024-11-18 14:13
    VLAI
    Summary
    07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component http://erp.07fly.net:80/oa/OaSchedule/add.html.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    zero_takeoff 07flycms Affected: 1.3.9
        cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07flycms",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.3.9"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51157",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-18T14:08:53.550546Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-18T14:13:04.340Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component http://erp.07fly.net:80/oa/OaSchedule/add.html."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-08T21:06:36.727Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/xiaoyunzhui/cms/blob/main/2/readme.md"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-51157",
        "datePublished": "2024-11-08T00:00:00.000Z",
        "dateReserved": "2024-10-28T00:00:00.000Z",
        "dateUpdated": "2024-11-18T14:13:04.340Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-9904 (GCVE-0-2024-9904)

    Vulnerability from cvelistv5 – Published: 2024-10-13 01:31 – Updated: 2024-10-15 14:28
    VLAI
    Title
    07FLYCMS/07FLY-CMS/07FlyCRM pictureUpload unrestricted upload
    Summary
    A vulnerability classified as critical was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This vulnerability affects the function pictureUpload of the file /admin/File/pictureUpload. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.280180 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.280180 signaturepermissions-required
    https://vuldb.com/?submit.421686 third-party-advisory
    https://github.com/DeepMountains/Mirage/blob/main… exploit
    Impacted products
    Vendor Product Version
    n/a 07FLYCMS Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    n/a 07FLY-CMS Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    n/a 07FlyCRM Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    zero_takeoff 07flycms Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zero_takeoff 07fly-cms Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07fly-cms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zero_takeoff 07flycrm Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07flycrm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dee.Mirage (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07flycms",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07fly-cms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07fly-cms",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07flycrm:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07flycrm",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9904",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T14:23:51.694631Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T14:28:47.424Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "07FLYCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            },
            {
              "product": "07FLY-CMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            },
            {
              "product": "07FlyCRM",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dee.Mirage (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability classified as critical was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This vulnerability affects the function pictureUpload of the file /admin/File/pictureUpload. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address."
            },
            {
              "lang": "de",
              "value": "In 07FLYCMS, 07FLY-CMS and 07FlyCRM bis 1.2.0 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Es geht um die Funktion pictureUpload der Datei /admin/File/pictureUpload. Durch Beeinflussen des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.8,
                "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-13T01:31:04.358Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-280180 | 07FLYCMS/07FLY-CMS/07FlyCRM pictureUpload unrestricted upload",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.280180"
            },
            {
              "name": "VDB-280180 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.280180"
            },
            {
              "name": "Submit #421686 | 07fly crm S1 FileUpload",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.421686"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DeepMountains/Mirage/blob/main/CVE19-2.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2024-10-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-10-12T08:31:35.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "07FLYCMS/07FLY-CMS/07FlyCRM pictureUpload unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2024-9904",
        "datePublished": "2024-10-13T01:31:04.358Z",
        "dateReserved": "2024-10-12T06:25:13.837Z",
        "dateUpdated": "2024-10-15T14:28:47.424Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-9903 (GCVE-0-2024-9903)

    Vulnerability from cvelistv5 – Published: 2024-10-12 23:00 – Updated: 2024-10-15 14:38
    VLAI
    Title
    07FLYCMS/07FLY-CMS/07FlyCRM fileUpload unrestricted upload
    Summary
    A vulnerability classified as critical has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This affects the function fileUpload of the file /admin/File/fileUpload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.280179 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.280179 signaturepermissions-required
    https://vuldb.com/?submit.421685 third-party-advisory
    https://github.com/DeepMountains/Mirage/blob/main… exploit
    Impacted products
    Vendor Product Version
    n/a 07FLYCMS Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    n/a 07FLY-CMS Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    n/a 07FlyCRM Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    zero_takeoff 07flycms Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zero_takeoff 07fly-cms Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07fly-cms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zero_takeoff 07flycrm Affected: 1.0
    Affected: 1.1
    Affected: 1.2
        cpe:2.3:a:zero_takeoff:07flycrm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dee.Mirage (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07flycms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07flycms",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07fly-cms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07fly-cms",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:zero_takeoff:07flycrm:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07flycrm",
                "vendor": "zero_takeoff",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0"
                  },
                  {
                    "status": "affected",
                    "version": "1.1"
                  },
                  {
                    "status": "affected",
                    "version": "1.2"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9903",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T14:32:57.706988Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T14:38:20.692Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "07FLYCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            },
            {
              "product": "07FLY-CMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            },
            {
              "product": "07FlyCRM",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dee.Mirage (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability classified as critical has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This affects the function fileUpload of the file /admin/File/fileUpload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address."
            },
            {
              "lang": "de",
              "value": "Es wurde eine Schwachstelle in 07FLYCMS, 07FLY-CMS and 07FlyCRM bis 1.2.0 entdeckt. Sie wurde als kritisch eingestuft. Betroffen hiervon ist die Funktion fileUpload der Datei /admin/File/fileUpload. Durch das Beeinflussen des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.8,
                "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-12T23:00:06.275Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-280179 | 07FLYCMS/07FLY-CMS/07FlyCRM fileUpload unrestricted upload",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.280179"
            },
            {
              "name": "VDB-280179 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.280179"
            },
            {
              "name": "Submit #421685 | 07fly crm S1 FileUpload",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.421685"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DeepMountains/Mirage/blob/main/CVE19-1.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2024-10-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-10-12T08:31:13.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "07FLYCMS/07FLY-CMS/07FlyCRM fileUpload unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2024-9903",
        "datePublished": "2024-10-12T23:00:06.275Z",
        "dateReserved": "2024-10-12T06:25:11.177Z",
        "dateUpdated": "2024-10-15T14:38:20.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-9856 (GCVE-0-2024-9856)

    Vulnerability from cvelistv5 – Published: 2024-10-11 12:31 – Updated: 2024-10-11 14:13
    VLAI
    Title
    07FLYCMS/07FLY-CMS/07FlyCRM System Settings Page cross site scripting
    Summary
    A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8. It has been rated as problematic. Affected by this issue is some unknown functionality of the component System Settings Page. The manipulation of the argument Login Interface Copyright leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross Site Scripting
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.280052 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.280052 signaturepermissions-required
    https://vuldb.com/?submit.419223 third-party-advisory
    https://github.com/DeepMountains/zzz/blob/main/CV… exploit
    Impacted products
    Vendor Product Version
    n/a 07FLYCMS Affected: 1.3.8
    n/a 07FLY-CMS Affected: 1.3.8
    n/a 07FlyCRM Affected: 1.3.8
    07fly 07fly-cms Affected: 1.3.8
        cpe:2.3:a:07fly:07fly-cms:1.3.8:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    chenzijie0619 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:07fly:07fly-cms:1.3.8:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07fly-cms",
                "vendor": "07fly",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.3.8"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9856",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-11T14:07:41.807371Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-11T14:13:23.820Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "System Settings Page"
              ],
              "product": "07FLYCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            },
            {
              "modules": [
                "System Settings Page"
              ],
              "product": "07FLY-CMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            },
            {
              "modules": [
                "System Settings Page"
              ],
              "product": "07FlyCRM",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "chenzijie0619 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8. It has been rated as problematic. Affected by this issue is some unknown functionality of the component System Settings Page. The manipulation of the argument Login Interface Copyright leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address."
            },
            {
              "lang": "de",
              "value": "Eine problematische Schwachstelle wurde in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8 ausgemacht. Dies betrifft einen unbekannten Teil der Komponente System Settings Page. Durch die Manipulation des Arguments Login Interface Copyright mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 3.3,
                "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-11T12:31:06.506Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-280052 | 07FLYCMS/07FLY-CMS/07FlyCRM System Settings Page cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.280052"
            },
            {
              "name": "VDB-280052 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.280052"
            },
            {
              "name": "Submit #419223 | \u96f6\u8d77\u98de 07FlyCms 1.3.8 XSS",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.419223"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DeepMountains/zzz/blob/main/CVE6-2.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-11T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2024-10-11T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-10-11T08:40:40.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "07FLYCMS/07FLY-CMS/07FlyCRM System Settings Page cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2024-9856",
        "datePublished": "2024-10-11T12:31:06.506Z",
        "dateReserved": "2024-10-11T06:35:16.905Z",
        "dateUpdated": "2024-10-11T14:13:23.820Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-9855 (GCVE-0-2024-9855)

    Vulnerability from cvelistv5 – Published: 2024-10-11 12:31 – Updated: 2024-10-11 14:14
    VLAI
    Title
    07FLYCMS/07FLY-CMS/07FlyCRM Module Plug-In sysmodule_1 uploadFile unrestricted upload
    Summary
    A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadFile of the file /admin/SysModule/upload/ajaxmodel/upload/uploadfilepath/sysmodule_1 of the component Module Plug-In Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.280051 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.280051 signaturepermissions-required
    https://vuldb.com/?submit.419222 third-party-advisory
    https://github.com/DeepMountains/zzz/blob/main/CV… exploit
    Impacted products
    Vendor Product Version
    n/a 07FLYCMS Affected: 1.3.8
    n/a 07FLY-CMS Affected: 1.3.8
    n/a 07FlyCRM Affected: 1.3.8
    07fly 07fly-cms Affected: 1.3.8
        cpe:2.3:a:07fly:07fly-cms:1.3.8:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    chenzijie0619 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:07fly:07fly-cms:1.3.8:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "07fly-cms",
                "vendor": "07fly",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.3.8"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9855",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-11T14:13:46.899418Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-11T14:14:30.450Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Module Plug-In Handler"
              ],
              "product": "07FLYCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            },
            {
              "modules": [
                "Module Plug-In Handler"
              ],
              "product": "07FLY-CMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            },
            {
              "modules": [
                "Module Plug-In Handler"
              ],
              "product": "07FlyCRM",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "chenzijie0619 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadFile of the file /admin/SysModule/upload/ajaxmodel/upload/uploadfilepath/sysmodule_1 of the component Module Plug-In Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address."
            },
            {
              "lang": "de",
              "value": "In 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8 wurde eine kritische Schwachstelle ausgemacht. Das betrifft die Funktion uploadFile der Datei /admin/SysModule/upload/ajaxmodel/upload/uploadfilepath/sysmodule_1 der Komponente Module Plug-In Handler. Mit der Manipulation des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.8,
                "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-11T12:31:04.986Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-280051 | 07FLYCMS/07FLY-CMS/07FlyCRM Module Plug-In sysmodule_1 uploadFile unrestricted upload",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.280051"
            },
            {
              "name": "VDB-280051 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.280051"
            },
            {
              "name": "Submit #419222 | \u96f6\u8d77\u98de 07FlyCms 1.3.8 FileUpload",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.419222"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DeepMountains/zzz/blob/main/CVE6-1.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-11T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2024-10-11T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-10-11T08:40:33.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "07FLYCMS/07FLY-CMS/07FlyCRM Module Plug-In sysmodule_1 uploadFile unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2024-9855",
        "datePublished": "2024-10-11T12:31:04.986Z",
        "dateReserved": "2024-10-11T06:35:14.410Z",
        "dateUpdated": "2024-10-11T14:14:30.450Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }