PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file.
Max CVSS
7.2
EPSS Score
0.51%
Published
2021-09-07
Updated
2021-09-14
SQL injection vulnerability in gaozhifeng PHPMyWind v.5.6 allows a remote attacker to execute arbitrary code via the id variable in the modify function.
Max CVSS
7.2
EPSS Score
0.06%
Published
2023-06-20
Updated
2023-06-27
Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'.
Max CVSS
7.2
EPSS Score
0.77%
Published
2021-08-20
Updated
2021-08-24
Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'.
Max CVSS
7.2
EPSS Score
0.18%
Published
2021-08-20
Updated
2022-09-20
Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_switchshow" of component " /admin/web_config.php".
Max CVSS
4.8
EPSS Score
0.07%
Published
2021-05-27
Updated
2021-05-28
Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php".
Max CVSS
4.8
EPSS Score
0.07%
Published
2021-05-27
Updated
2021-05-28
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field.
Max CVSS
7.2
EPSS Score
0.12%
Published
2018-09-17
Updated
2018-11-01
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting.
Max CVSS
7.2
EPSS Score
0.12%
Published
2018-09-17
Updated
2018-11-01
admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter.
Max CVSS
7.2
EPSS Score
0.14%
Published
2018-09-17
Updated
2018-11-01
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field.
Max CVSS
7.2
EPSS Score
0.12%
Published
2018-09-17
Updated
2018-11-01
10 vulnerabilities found