彙總 phpmywind 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本、SQL 注入、CSRF與路徑處理缺陷,在 生產負載與軟體部署 使用場景中可能帶來 工作階段劫持、資料外洩與檔案覆寫 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2020-21400 | SQL injection vulnerability in gaozhifeng PHPMyWind v.5.6 allows a remote attacker to execute arbitrary code via the id variable in the modify function. | [email protected] | 7.2 | 0.93% | 2023-06-20 | 2024-12-10 |
| CVE-2020-21060 | SQL injection vulnerability found in PHPMyWind v.5.6 allows a remote attacker to gain privileges via the delete function of the administrator management page. | [email protected] | 8.8 | 0.92% | 2023-04-04 | 2025-02-13 |
| CVE-2020-19964 | A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication. | [email protected] | 6.5 | 0.64% | 2021-10-14 | 2024-11-21 |
| CVE-2021-39503 | PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file. | [email protected] | 7.2 | 2.73% | 2021-09-07 | 2024-11-21 |
| CVE-2020-18886 | Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'. | [email protected] | 7.2 | 1.80% | 2021-08-20 | 2024-11-21 |
| CVE-2020-18885 | Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'. | [email protected] | 7.2 | 3.87% | 2021-08-20 | 2024-11-21 |
| CVE-2020-18230 | Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_switchshow" of component " /admin/web_config.php". | [email protected] | 4.8 | 0.98% | 2021-05-27 | 2024-11-21 |
| CVE-2020-18229 | Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php". | [email protected] | 4.8 | 0.93% | 2021-05-27 | 2024-11-21 |
| CVE-2019-16704 | admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS. | [email protected] | 4.8 | 0.75% | 2019-09-23 | 2024-11-21 |
| CVE-2019-16703 | admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. | [email protected] | 6.1 | 0.82% | 2019-09-23 | 2024-11-21 |
| CVE-2019-7661 | An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability. | [email protected] | 6.1 | 0.86% | 2019-03-07 | 2024-11-21 |
| CVE-2019-7660 | An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php. | [email protected] | 6.1 | 0.86% | 2019-03-07 | 2024-11-21 |
| CVE-2019-8435 | admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header. | [email protected] | 4.8 | 0.58% | 2019-02-18 | 2024-11-21 |
| CVE-2019-7403 | An issue was discovered in PHPMyWind 5.5. It allows remote attackers to delete arbitrary folders via an admin/database_backup.php?action=import&dopost=deldir&tbname=../ URI. | [email protected] | 4.9 | 1.69% | 2019-02-05 | 2024-11-21 |
| CVE-2019-7402 | An issue was discovered in PHPMyWind 5.5. The GetQQ function in include/func.class.php allows XSS via the cfg_qqcode parameter. This can be exploited via CSRF. | [email protected] | 6.1 | 0.43% | 2019-02-05 | 2024-11-21 |
| CVE-2018-17134 | admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field. | [email protected] | 7.2 | 1.84% | 2018-09-17 | 2024-11-21 |
| CVE-2018-17133 | admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting. | [email protected] | 7.2 | 1.84% | 2018-09-17 | 2024-11-21 |
| CVE-2018-17132 | admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter. | [email protected] | 7.2 | 1.84% | 2018-09-17 | 2024-11-21 |
| CVE-2018-17131 | admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field. | [email protected] | 7.2 | 1.84% | 2018-09-17 | 2024-11-21 |
| CVE-2018-17130 | PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header, | [email protected] | 5.4 | 0.53% | 2018-09-17 | 2024-11-21 |