Aggregates CVE and security vulnerability intelligence across all naviwebs-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting, vendor risk sql injection, vendor risk path handling, and vendor risk csrf and related problems; some flaws may lead to vendor impact session compromise.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2020-37054 | Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation. | [email protected] | 5.1 | 0.01% | 2026-01-30 | 2026-02-13 |
| CVE-2020-37053 | Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts. | [email protected] | 7.1 | 0.03% | 2026-01-30 | 2026-02-13 |
| CVE-2022-28117 | A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter. | [email protected] | 4.9 | 67.13% | 2022-04-28 | 2024-11-21 |
| CVE-2021-44299 | A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | [email protected] | 5.4 | 0.30% | 2022-01-19 | 2024-11-21 |
| CVE-2021-44351 | An arbitrary file read vulnerability exists in NavigateCMS 2.9 via /navigate/navigate_download.php id parameter. | [email protected] | 7.5 | 0.77% | 2022-01-06 | 2024-11-21 |
| CVE-2021-36455 | SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in \lib\packages\comments\comments.php. | [email protected] | 8.8 | 0.45% | 2021-08-06 | 2024-11-21 |
| CVE-2021-36454 | Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backups\backups.php, 2) blocks\blocks.php, 3) brands\brands.php, 4) comments\comments.php, 5) coupons\coupons.php, 6) feeds\feeds.php, 7) functions\functions.php, 8) items\items.php, 9) menus\menus.php, 10) orders\orders.php, 11) payment_methods\payment_methods.php, 12) products\products.php, 13) profiles\profiles.php, 14) shipping_methods\shipping_methods.php, 15) templates\templates.p | [email protected] | 5.4 | 0.30% | 2021-08-06 | 2024-11-21 |
| CVE-2020-23243 | Cross Site Scripting (XSS) vulnerability in NavigateCMS NavigateCMS 2.9 via the name="wrong_path_redirect" feature. | [email protected] | 4.8 | 0.21% | 2021-07-26 | 2024-11-21 |
| CVE-2020-23242 | Cross Site Scripting (XSS) vulnerability in NavigateCMS 2.9 when performing a Create or Edit via the Tools feature. | [email protected] | 4.8 | 0.29% | 2021-07-26 | 2024-11-21 |
| CVE-2021-37478 | In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database. | [email protected] | 9.8 | 0.68% | 2021-07-26 | 2024-11-21 |
| CVE-2021-37477 | In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database. | [email protected] | 9.8 | 0.68% | 2021-07-26 | 2024-11-21 |
| CVE-2021-37476 | In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the backend database. | [email protected] | 9.8 | 0.68% | 2021-07-26 | 2024-11-21 |
| CVE-2021-37475 | In NavigateCMS version 2.9.4 and below, function in `templates.php` is vulnerable to sql injection on parameter `template-properties-order`, which results in arbitrary sql query execution in the backend database. | [email protected] | 9.8 | 0.68% | 2021-07-26 | 2024-11-21 |
| CVE-2021-37473 | In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the backend database. | [email protected] | 9.8 | 0.68% | 2021-07-26 | 2024-11-21 |
| CVE-2020-23711 | SQL Injection vulnerability in NavigateCMS 2.9 via the URL encoded GET input category in navigate.php. | [email protected] | 9.8 | 0.51% | 2021-06-28 | 2024-11-21 |
| CVE-2020-23657 | NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration." | [email protected] | 5.4 | 0.21% | 2020-08-26 | 2024-11-21 |
| CVE-2020-23656 | NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Content." | [email protected] | 5.4 | 0.21% | 2020-08-26 | 2024-11-21 |
| CVE-2020-23655 | NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration." | [email protected] | 5.4 | 0.21% | 2020-08-26 | 2024-11-21 |
| CVE-2020-23654 | NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) via the module "Shop." | [email protected] | 5.4 | 0.21% | 2020-08-26 | 2024-11-21 |
| CVE-2020-14018 | An issue was discovered in Navigate CMS 2.9 r1433. There is a stored XSS vulnerability that is executed on the page to view users, and on the page to edit users. This is present in both the User field and the E-Mail field. On the Edit user page, the XSS is only triggered via the E-Mail field; however, on the View user page the XSS is triggered via either the User field or the E-Mail field. | [email protected] | 6.1 | 0.21% | 2020-06-24 | 2024-11-21 |