naviwebs 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting、vendor risk sql injection、パス処理の欠陥, and vendor risk csrf があり、vendor surface software deployment and vendor surface production workloads の利用場面で vendor impact session compromise、vendor impact data exposure, and ファイル上書き などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2020-37054 | Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation. | [email protected] | 5.1 | 0.01% | 2026-01-30 | 2026-02-13 |
| CVE-2020-37053 | Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts. | [email protected] | 7.1 | 0.03% | 2026-01-30 | 2026-02-13 |
| CVE-2022-28117 | A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter. | [email protected] | 4.9 | 67.13% | 2022-04-28 | 2024-11-21 |
| CVE-2021-44299 | A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | [email protected] | 5.4 | 0.18% | 2022-01-19 | 2024-11-21 |
| CVE-2021-44351 | An arbitrary file read vulnerability exists in NavigateCMS 2.9 via /navigate/navigate_download.php id parameter. | [email protected] | 7.5 | 0.77% | 2022-01-06 | 2024-11-21 |
| CVE-2021-36455 | SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in \lib\packages\comments\comments.php. | [email protected] | 8.8 | 0.45% | 2021-08-06 | 2024-11-21 |
| CVE-2021-36454 | Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backups\backups.php, 2) blocks\blocks.php, 3) brands\brands.php, 4) comments\comments.php, 5) coupons\coupons.php, 6) feeds\feeds.php, 7) functions\functions.php, 8) items\items.php, 9) menus\menus.php, 10) orders\orders.php, 11) payment_methods\payment_methods.php, 12) products\products.php, 13) profiles\profiles.php, 14) shipping_methods\shipping_methods.php, 15) templates\templates.p | [email protected] | 5.4 | 0.30% | 2021-08-06 | 2024-11-21 |
| CVE-2020-23243 | Cross Site Scripting (XSS) vulnerability in NavigateCMS NavigateCMS 2.9 via the name="wrong_path_redirect" feature. | [email protected] | 4.8 | 0.21% | 2021-07-26 | 2024-11-21 |
| CVE-2020-23242 | Cross Site Scripting (XSS) vulnerability in NavigateCMS 2.9 when performing a Create or Edit via the Tools feature. | [email protected] | 4.8 | 0.29% | 2021-07-26 | 2024-11-21 |
| CVE-2021-37478 | In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database. | [email protected] | 9.8 | 0.68% | 2021-07-26 | 2024-11-21 |
| CVE-2021-37477 | In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database. | [email protected] | 9.8 | 0.68% | 2021-07-26 | 2024-11-21 |
| CVE-2021-37476 | In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the backend database. | [email protected] | 9.8 | 0.68% | 2021-07-26 | 2024-11-21 |
| CVE-2021-37475 | In NavigateCMS version 2.9.4 and below, function in `templates.php` is vulnerable to sql injection on parameter `template-properties-order`, which results in arbitrary sql query execution in the backend database. | [email protected] | 9.8 | 0.68% | 2021-07-26 | 2024-11-21 |
| CVE-2021-37473 | In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the backend database. | [email protected] | 9.8 | 0.68% | 2021-07-26 | 2024-11-21 |
| CVE-2020-23711 | SQL Injection vulnerability in NavigateCMS 2.9 via the URL encoded GET input category in navigate.php. | [email protected] | 9.8 | 0.51% | 2021-06-28 | 2024-11-21 |
| CVE-2020-23657 | NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration." | [email protected] | 5.4 | 0.21% | 2020-08-26 | 2024-11-21 |
| CVE-2020-23656 | NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Content." | [email protected] | 5.4 | 0.21% | 2020-08-26 | 2024-11-21 |
| CVE-2020-23655 | NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration." | [email protected] | 5.4 | 0.21% | 2020-08-26 | 2024-11-21 |
| CVE-2020-23654 | NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) via the module "Shop." | [email protected] | 5.4 | 0.21% | 2020-08-26 | 2024-11-21 |
| CVE-2020-14018 | An issue was discovered in Navigate CMS 2.9 r1433. There is a stored XSS vulnerability that is executed on the page to view users, and on the page to edit users. This is present in both the User field and the E-Mail field. On the Edit user page, the XSS is only triggered via the E-Mail field; however, on the View user page the XSS is triggered via either the User field or the E-Mail field. | [email protected] | 6.1 | 0.21% | 2020-06-24 | 2024-11-21 |