彙總 osclass 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
歷史漏洞主要涉及 跨站腳本與路徑處理缺陷 等問題,部分漏洞可能導致 檔案覆寫,並影響 生產負載與軟體部署 相關場景。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2016-10751 | osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the plugin parameter. This is exploitable for remote PHP code execution because an administrator can upload an image that contains PHP code in the EXIF data via index.php?page=ajax&action=ajax_upload. | [email protected] | 7.2 | 0.84% | 2019-05-24 | 2024-11-21 |
| CVE-2018-14481 | Osclass 3.7.4 has XSS via the query string to index.php, a different vulnerability than CVE-2014-6280. | [email protected] | 6.1 | 0.19% | 2019-01-03 | 2024-11-21 |
| CVE-2014-8085 | Unrestricted file upload vulnerability in the CWebContact::doModel method in oc-includes/osclass/controller/contact.php in OSClass before 3.4.3 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory. | [email protected] | 6.8 | 1.04% | 2015-01-05 | 2026-05-06 |
| CVE-2014-8084 | Directory traversal vulnerability in oc-includes/osclass/controller/ajax.php in OSClass before 3.4.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ajaxfile parameter in a custom action. | [email protected] | 7.5 | 2.12% | 2015-01-05 | 2026-05-06 |
| CVE-2014-8083 | SQL injection vulnerability in the Search::setJsonAlert method in OSClass before 3.4.3 allows remote attackers to execute arbitrary SQL commands via the alert parameter in a search alert subscription action. | [email protected] | 7.5 | 0.60% | 2015-01-05 | 2026-05-06 |
| CVE-2014-6308 | Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php. | [email protected] | 5.0 | 74.13% | 2014-10-20 | 2026-05-06 |
| CVE-2014-6280 | Multiple cross-site scripting (XSS) vulnerabilities in OSClass before 3.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) action or (2) nsextt parameter to oc-admin/index.php or the (3) nsextt parameter in an items_reported action to oc-admin/index.php. | [email protected] | 4.3 | 0.38% | 2014-10-20 | 2026-05-06 |
| CVE-2012-5163 | Cross-site scripting (XSS) vulnerability in oc-admin/ajax/ajax.php in OSClass before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the id parameter in an enable_category action to index.php. | [email protected] | 4.3 | 0.40% | 2012-09-26 | 2026-04-29 |
| CVE-2012-5162 | Multiple SQL injection vulnerabilities in oc-admin/ajax/ajax.php in OSClass before 2.3.5 allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) edit_category_post or (2) enable_category action to index.php. | [email protected] | 6.5 | 0.36% | 2012-09-26 | 2026-04-29 |
| CVE-2012-0973 | Multiple SQL injection vulnerabilities in OSClass before 2.3.5 allow remote attackers to execute arbitrary SQL commands via the sCategory parameter to index.php, which is not properly handled by the (1) osc_search_category_id function in oc-includes/osclass/helpers/hSearch.php and (2) findBySlug function oc-includes/osclass/model/Category.php. NOTE: some of these details are obtained from third party information. | [email protected] | 7.5 | 2.51% | 2012-09-25 | 2026-04-29 |