Search criteria
10 vulnerabilities found for soycms by inunosinsi
CVE-2024-28187 (GCVE-0-2024-28187)
Vulnerability from nvd – Published: 2024-03-11 19:54 – Updated: 2024-08-27 19:50
VLAI?
Title
OS Command Injection Vulnerability in SOY CMS
Summary
SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.2 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inunosinsi | soycms |
Affected:
< 3.14.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.458Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"
},
{
"name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:soycms_project:soycms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "soycms",
"vendor": "soycms_project",
"versions": [
{
"lessThan": "3.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:49:03.978807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T19:50:44.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c 3.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-11T19:54:05.452Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"
},
{
"name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"
}
],
"source": {
"advisory": "GHSA-qg3q-hfgc-5jmm",
"discovery": "UNKNOWN"
},
"title": "OS Command Injection Vulnerability in SOY CMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28187",
"datePublished": "2024-03-11T19:54:05.452Z",
"dateReserved": "2024-03-06T17:35:00.858Z",
"dateUpdated": "2024-08-27T19:50:44.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15189 (GCVE-0-2020-15189)
Vulnerability from nvd – Published: 2020-09-18 17:20 – Updated: 2024-08-04 13:08
VLAI?
Title
Remote Code Execution in SOY CMS
Summary
SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328.
Severity ?
6.8 (Medium)
CWE
- CWE-434 - {"CWE-434":"Unrestricted Upload of File with Dangerous Type"}
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inunosinsi | soycms |
Affected:
< 3.0.2.328
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/issues/9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/pull/14"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://youtu.be/FWIDFNXmr9g"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.2.328"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "{\"CWE-434\":\"Unrestricted Upload of File with Dangerous Type\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T17:20:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/issues/9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/pull/14"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://youtu.be/FWIDFNXmr9g"
}
],
"source": {
"advisory": "GHSA-6r2f-p68g-m433",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution in SOY CMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15189",
"STATE": "PUBLIC",
"TITLE": "Remote Code Execution in SOY CMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "soycms",
"version": {
"version_data": [
{
"version_value": "\u003c 3.0.2.328"
}
]
}
}
]
},
"vendor_name": "inunosinsi"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-434\":\"Unrestricted Upload of File with Dangerous Type\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433",
"refsource": "CONFIRM",
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433"
},
{
"name": "https://github.com/inunosinsi/soycms/issues/9",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/issues/9"
},
{
"name": "https://github.com/inunosinsi/soycms/pull/14",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/pull/14"
},
{
"name": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59"
},
{
"name": "https://youtu.be/FWIDFNXmr9g",
"refsource": "MISC",
"url": "https://youtu.be/FWIDFNXmr9g"
}
]
},
"source": {
"advisory": "GHSA-6r2f-p68g-m433",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15189",
"datePublished": "2020-09-18T17:20:16",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15188 (GCVE-0-2020-15188)
Vulnerability from nvd – Published: 2020-09-18 17:05 – Updated: 2024-08-04 13:08
VLAI?
Title
Unauthenticated Remote Code Execution in SOY CMS
Summary
SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328.
Severity ?
10 (Critical)
CWE
- CWE-502 - {"CWE-502":"Deserialization of Untrusted Data"}
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inunosinsi | soycms |
Affected:
< 3.0.2.328
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/issues/10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=zAE4Swjc-GU\u0026feature=youtu.be"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.2.328"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "{\"CWE-502\":\"Deserialization of Untrusted Data\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T17:05:18",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/issues/10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.youtube.com/watch?v=zAE4Swjc-GU\u0026feature=youtu.be"
}
],
"source": {
"advisory": "GHSA-hrrx-m22r-p9jp",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Remote Code Execution in SOY CMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15188",
"STATE": "PUBLIC",
"TITLE": "Unauthenticated Remote Code Execution in SOY CMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "soycms",
"version": {
"version_data": [
{
"version_value": "\u003c 3.0.2.328"
}
]
}
}
]
},
"vendor_name": "inunosinsi"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-502\":\"Deserialization of Untrusted Data\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp",
"refsource": "CONFIRM",
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp"
},
{
"name": "https://github.com/inunosinsi/soycms/issues/10",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/issues/10"
},
{
"name": "https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020"
},
{
"name": "https://www.youtube.com/watch?v=zAE4Swjc-GU\u0026feature=youtu.be",
"refsource": "MISC",
"url": "https://www.youtube.com/watch?v=zAE4Swjc-GU\u0026feature=youtu.be"
}
]
},
"source": {
"advisory": "GHSA-hrrx-m22r-p9jp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15188",
"datePublished": "2020-09-18T17:05:18",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15183 (GCVE-0-2020-15183)
Vulnerability from nvd – Published: 2020-09-17 20:10 – Updated: 2024-08-04 13:08
VLAI?
Title
Reflected XSS leading to RCE in SoyCMS
Summary
SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage.
Severity ?
8.4 (High)
CWE
- CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inunosinsi | soycms |
Affected:
<= 3.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.471Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://youtu.be/uAMAwH35ups"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-17T20:10:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://youtu.be/uAMAwH35ups"
}
],
"source": {
"advisory": "GHSA-33q6-4xmp-2f48",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS leading to RCE in SoyCMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15183",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS leading to RCE in SoyCMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "soycms",
"version": {
"version_data": [
{
"version_value": "\u003c= 3.0.2"
}
]
}
}
]
},
"vendor_name": "inunosinsi"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48",
"refsource": "CONFIRM",
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"
},
{
"name": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"
},
{
"name": "https://youtu.be/uAMAwH35ups",
"refsource": "MISC",
"url": "https://youtu.be/uAMAwH35ups"
}
]
},
"source": {
"advisory": "GHSA-33q6-4xmp-2f48",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15183",
"datePublished": "2020-09-17T20:10:13",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15182 (GCVE-0-2020-15182)
Vulnerability from nvd – Published: 2020-09-17 19:20 – Updated: 2024-08-04 13:08
VLAI?
Title
Cross-site Request Forgery leading to RCE in SOY CMS
Summary
The SOY Inquiry component of SOY CMS is affected by Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE). The vulnerability affects versions 2.0.0.3 and earlier of SOY Inquiry. This allows remote attackers to force the administrator to edit files once the administrator loads a specially crafted webpage. An administrator must be logged in for exploitation to be possible. This issue is fixed in SOY Inquiry version 2.0.0.4 and included in SOY CMS 3.0.2.328.
Severity ?
8.4 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inunosinsi | soycms |
Affected:
< 2.0.0.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.487Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-j2qw-747j-mfv4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://youtu.be/ffvKH3gwyRE"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/pull/15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The SOY Inquiry component of SOY CMS is affected by Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE). The vulnerability affects versions 2.0.0.3 and earlier of SOY Inquiry. This allows remote attackers to force the administrator to edit files once the administrator loads a specially crafted webpage. An administrator must be logged in for exploitation to be possible. This issue is fixed in SOY Inquiry version 2.0.0.4 and included in SOY CMS 3.0.2.328."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T18:13:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-j2qw-747j-mfv4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://youtu.be/ffvKH3gwyRE"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/pull/15"
}
],
"source": {
"advisory": "GHSA-j2qw-747j-mfv4",
"discovery": "UNKNOWN"
},
"title": "Cross-site Request Forgery leading to RCE in SOY CMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15182",
"STATE": "PUBLIC",
"TITLE": "Cross-site Request Forgery leading to RCE in SOY CMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "soycms",
"version": {
"version_data": [
{
"version_value": "\u003c 2.0.0.4"
}
]
}
}
]
},
"vendor_name": "inunosinsi"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SOY Inquiry component of SOY CMS is affected by Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE). The vulnerability affects versions 2.0.0.3 and earlier of SOY Inquiry. This allows remote attackers to force the administrator to edit files once the administrator loads a specially crafted webpage. An administrator must be logged in for exploitation to be possible. This issue is fixed in SOY Inquiry version 2.0.0.4 and included in SOY CMS 3.0.2.328."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-j2qw-747j-mfv4",
"refsource": "CONFIRM",
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-j2qw-747j-mfv4"
},
{
"name": "https://youtu.be/ffvKH3gwyRE",
"refsource": "MISC",
"url": "https://youtu.be/ffvKH3gwyRE"
},
{
"name": "https://github.com/inunosinsi/soycms/pull/15",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/pull/15"
}
]
},
"source": {
"advisory": "GHSA-j2qw-747j-mfv4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15182",
"datePublished": "2020-09-17T19:20:15",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28187 (GCVE-0-2024-28187)
Vulnerability from cvelistv5 – Published: 2024-03-11 19:54 – Updated: 2024-08-27 19:50
VLAI?
Title
OS Command Injection Vulnerability in SOY CMS
Summary
SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.2 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inunosinsi | soycms |
Affected:
< 3.14.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.458Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"
},
{
"name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:soycms_project:soycms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "soycms",
"vendor": "soycms_project",
"versions": [
{
"lessThan": "3.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:49:03.978807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T19:50:44.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c 3.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-11T19:54:05.452Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"
},
{
"name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"
}
],
"source": {
"advisory": "GHSA-qg3q-hfgc-5jmm",
"discovery": "UNKNOWN"
},
"title": "OS Command Injection Vulnerability in SOY CMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28187",
"datePublished": "2024-03-11T19:54:05.452Z",
"dateReserved": "2024-03-06T17:35:00.858Z",
"dateUpdated": "2024-08-27T19:50:44.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15189 (GCVE-0-2020-15189)
Vulnerability from cvelistv5 – Published: 2020-09-18 17:20 – Updated: 2024-08-04 13:08
VLAI?
Title
Remote Code Execution in SOY CMS
Summary
SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328.
Severity ?
6.8 (Medium)
CWE
- CWE-434 - {"CWE-434":"Unrestricted Upload of File with Dangerous Type"}
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inunosinsi | soycms |
Affected:
< 3.0.2.328
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/issues/9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/pull/14"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://youtu.be/FWIDFNXmr9g"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.2.328"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "{\"CWE-434\":\"Unrestricted Upload of File with Dangerous Type\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T17:20:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/issues/9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/pull/14"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://youtu.be/FWIDFNXmr9g"
}
],
"source": {
"advisory": "GHSA-6r2f-p68g-m433",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution in SOY CMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15189",
"STATE": "PUBLIC",
"TITLE": "Remote Code Execution in SOY CMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "soycms",
"version": {
"version_data": [
{
"version_value": "\u003c 3.0.2.328"
}
]
}
}
]
},
"vendor_name": "inunosinsi"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-434\":\"Unrestricted Upload of File with Dangerous Type\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433",
"refsource": "CONFIRM",
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433"
},
{
"name": "https://github.com/inunosinsi/soycms/issues/9",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/issues/9"
},
{
"name": "https://github.com/inunosinsi/soycms/pull/14",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/pull/14"
},
{
"name": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59"
},
{
"name": "https://youtu.be/FWIDFNXmr9g",
"refsource": "MISC",
"url": "https://youtu.be/FWIDFNXmr9g"
}
]
},
"source": {
"advisory": "GHSA-6r2f-p68g-m433",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15189",
"datePublished": "2020-09-18T17:20:16",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15188 (GCVE-0-2020-15188)
Vulnerability from cvelistv5 – Published: 2020-09-18 17:05 – Updated: 2024-08-04 13:08
VLAI?
Title
Unauthenticated Remote Code Execution in SOY CMS
Summary
SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328.
Severity ?
10 (Critical)
CWE
- CWE-502 - {"CWE-502":"Deserialization of Untrusted Data"}
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inunosinsi | soycms |
Affected:
< 3.0.2.328
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/issues/10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=zAE4Swjc-GU\u0026feature=youtu.be"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.2.328"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "{\"CWE-502\":\"Deserialization of Untrusted Data\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T17:05:18",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/issues/10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.youtube.com/watch?v=zAE4Swjc-GU\u0026feature=youtu.be"
}
],
"source": {
"advisory": "GHSA-hrrx-m22r-p9jp",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Remote Code Execution in SOY CMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15188",
"STATE": "PUBLIC",
"TITLE": "Unauthenticated Remote Code Execution in SOY CMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "soycms",
"version": {
"version_data": [
{
"version_value": "\u003c 3.0.2.328"
}
]
}
}
]
},
"vendor_name": "inunosinsi"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-502\":\"Deserialization of Untrusted Data\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp",
"refsource": "CONFIRM",
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp"
},
{
"name": "https://github.com/inunosinsi/soycms/issues/10",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/issues/10"
},
{
"name": "https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020"
},
{
"name": "https://www.youtube.com/watch?v=zAE4Swjc-GU\u0026feature=youtu.be",
"refsource": "MISC",
"url": "https://www.youtube.com/watch?v=zAE4Swjc-GU\u0026feature=youtu.be"
}
]
},
"source": {
"advisory": "GHSA-hrrx-m22r-p9jp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15188",
"datePublished": "2020-09-18T17:05:18",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15183 (GCVE-0-2020-15183)
Vulnerability from cvelistv5 – Published: 2020-09-17 20:10 – Updated: 2024-08-04 13:08
VLAI?
Title
Reflected XSS leading to RCE in SoyCMS
Summary
SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage.
Severity ?
8.4 (High)
CWE
- CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inunosinsi | soycms |
Affected:
<= 3.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.471Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://youtu.be/uAMAwH35ups"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-17T20:10:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://youtu.be/uAMAwH35ups"
}
],
"source": {
"advisory": "GHSA-33q6-4xmp-2f48",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS leading to RCE in SoyCMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15183",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS leading to RCE in SoyCMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "soycms",
"version": {
"version_data": [
{
"version_value": "\u003c= 3.0.2"
}
]
}
}
]
},
"vendor_name": "inunosinsi"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48",
"refsource": "CONFIRM",
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"
},
{
"name": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"
},
{
"name": "https://youtu.be/uAMAwH35ups",
"refsource": "MISC",
"url": "https://youtu.be/uAMAwH35ups"
}
]
},
"source": {
"advisory": "GHSA-33q6-4xmp-2f48",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15183",
"datePublished": "2020-09-17T20:10:13",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15182 (GCVE-0-2020-15182)
Vulnerability from cvelistv5 – Published: 2020-09-17 19:20 – Updated: 2024-08-04 13:08
VLAI?
Title
Cross-site Request Forgery leading to RCE in SOY CMS
Summary
The SOY Inquiry component of SOY CMS is affected by Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE). The vulnerability affects versions 2.0.0.3 and earlier of SOY Inquiry. This allows remote attackers to force the administrator to edit files once the administrator loads a specially crafted webpage. An administrator must be logged in for exploitation to be possible. This issue is fixed in SOY Inquiry version 2.0.0.4 and included in SOY CMS 3.0.2.328.
Severity ?
8.4 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inunosinsi | soycms |
Affected:
< 2.0.0.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.487Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-j2qw-747j-mfv4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://youtu.be/ffvKH3gwyRE"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/pull/15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The SOY Inquiry component of SOY CMS is affected by Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE). The vulnerability affects versions 2.0.0.3 and earlier of SOY Inquiry. This allows remote attackers to force the administrator to edit files once the administrator loads a specially crafted webpage. An administrator must be logged in for exploitation to be possible. This issue is fixed in SOY Inquiry version 2.0.0.4 and included in SOY CMS 3.0.2.328."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T18:13:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-j2qw-747j-mfv4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://youtu.be/ffvKH3gwyRE"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/pull/15"
}
],
"source": {
"advisory": "GHSA-j2qw-747j-mfv4",
"discovery": "UNKNOWN"
},
"title": "Cross-site Request Forgery leading to RCE in SOY CMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15182",
"STATE": "PUBLIC",
"TITLE": "Cross-site Request Forgery leading to RCE in SOY CMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "soycms",
"version": {
"version_data": [
{
"version_value": "\u003c 2.0.0.4"
}
]
}
}
]
},
"vendor_name": "inunosinsi"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SOY Inquiry component of SOY CMS is affected by Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE). The vulnerability affects versions 2.0.0.3 and earlier of SOY Inquiry. This allows remote attackers to force the administrator to edit files once the administrator loads a specially crafted webpage. An administrator must be logged in for exploitation to be possible. This issue is fixed in SOY Inquiry version 2.0.0.4 and included in SOY CMS 3.0.2.328."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-j2qw-747j-mfv4",
"refsource": "CONFIRM",
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-j2qw-747j-mfv4"
},
{
"name": "https://youtu.be/ffvKH3gwyRE",
"refsource": "MISC",
"url": "https://youtu.be/ffvKH3gwyRE"
},
{
"name": "https://github.com/inunosinsi/soycms/pull/15",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/pull/15"
}
]
},
"source": {
"advisory": "GHSA-j2qw-747j-mfv4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15182",
"datePublished": "2020-09-17T19:20:15",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}