Aggregates CVE and security vulnerability intelligence across all mojoportal-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting, vendor risk path handling, and vendor risk xxe and related problems; some flaws may lead to vendor impact session compromise and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-28367 | mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey. | [email protected] | 6.5 | 12.70% | 2025-04-21 | 2025-08-22 |
| CVE-2023-44012 | Cross Site Scripting vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the helpkey parameter in the Help.aspx component. | [email protected] | 6.1 | 15.20% | 2023-10-02 | 2024-11-21 |
| CVE-2023-44011 | An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the layout.master skin file at the Skin management component. | [email protected] | 9.8 | 13.23% | 2023-10-02 | 2024-11-21 |
| CVE-2023-44009 | File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the Skin Management function. | [email protected] | 9.8 | 9.38% | 2023-10-02 | 2024-11-21 |
| CVE-2023-44008 | File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the File Manager function. | [email protected] | 9.8 | 9.38% | 2023-10-02 | 2024-11-21 |
| CVE-2023-24689 | An issue in Mojoportal v2.7.0.0 and below allows an authenticated attacker to list all css files inside the root path of the webserver via manipulation of the "s" parameter in /DesignTools/ManageSkin.aspx | [email protected] | 4.3 | 0.09% | 2023-02-09 | 2025-03-24 |
| CVE-2023-24688 | An issue in Mojoportal v2.7.0.0 allows an unauthenticated attacker to register a new user even if the Allow User Registrations feature is disabled. | [email protected] | 5.3 | 0.32% | 2023-02-09 | 2025-03-24 |
| CVE-2023-24687 | Mojoportal v2.7.0.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Company Info Settings component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtCompanyName parameter. | [email protected] | 5.4 | 0.22% | 2023-02-09 | 2025-03-24 |
| CVE-2023-24323 | Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability. | [email protected] | 8.8 | 0.22% | 2023-02-09 | 2025-03-24 |
| CVE-2023-24322 | A reflected cross-site scripting (XSS) vulnerability in the FileDialog.aspx component of mojoPortal v2.7.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ed and tbi parameters. | [email protected] | 6.1 | 46.48% | 2023-02-09 | 2025-03-24 |
| CVE-2022-40123 | mojoPortal v2.7 was discovered to contain a path traversal vulnerability via the "f" parameter at /DesignTools/CssEditor.aspx. This vulnerability allows authenticated attackers to read arbitrary files in the system. | [email protected] | 6.5 | 1.15% | 2022-10-03 | 2024-11-21 |
| CVE-2022-40341 | mojoPortal v2.7 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PNG file. | [email protected] | 8.8 | 1.33% | 2022-09-30 | 2025-05-20 |
| CVE-2018-7447 | mojoPortal through 2.6.0.0 is prone to multiple persistent cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. The 'Title' and 'Subtitle' fields of the 'Blog' page are vulnerable. NOTE: The software maintainer disputes this as a vulnerability because the fields claimed to be vulnerable to XSS are only available to administrators who are supposed to have access to add scripts | [email protected] | 4.8 | 0.23% | 2018-02-24 | 2024-11-21 |
| CVE-2017-1000457 | Cross-site scripting (XSS) vulnerability in Help.aspx in mojoPortal version 2.5.0.0 allows remote attackers to inject arbitrary web script or HTML via the helpkey parameter. Exploitation requires authenticated reflected cross-site scripting for user accounts assigned either the "Administrators" or "Content Administrators" role. | [email protected] | 4.8 | 0.17% | 2018-01-02 | 2024-11-21 |