A code injection vulnerability in hisiphp 2.0.11
In https://github.com/hisiphp/hisiphp/blob/d05c908c29d574b84aa9e8932b13a5ef54e0a429/application/system/admin/Plugins.php#L129, $data is controlled by users.
$model = new PluginsModel();
$data = $this->request->post();
$result = $this->validate($data, 'app\system\validate\SystemPlugins');
if ($result !== true) {
return $this->error($result);
A code injection vulnerability in Onethink 1.1
In https://github.com/liu21st/onethink/blob/f705308bc24611af650e6830e3be2a07dd8bb823/wwwroot/Application/Admin/Controller/AddonsController.class.php#L38, $data is controlled by users.
$data = $_POST;In https://github.com/liu21st/onethink/blob/f705308bc24611af650e6830e3be2a07dd8bb823/wwwroot/Application/Admin/Controller/AddonsController.class.php#L226, $data['config'] is written into a php file directly.
A SQL injection vulnerability in Onethink 1.1
In https://github.com/liu21st/onethink/blob/f705308bc24611af650e6830e3be2a07dd8bb823/wwwroot/Application/Admin/Controller/ModelController.class.php#L148,
$table is controlled by users.
$table = I('post.table');
empty($table) && $this->error('请选择要生成的数据表!');
$res = D('Model')->generate($table,I('post.name'),I('post.title'));
A SSRF vulnerability in gleezcms 1.20.
If :// is present in the URL path, GleezCMS will use the cURL library to send a request specified by the attacker.
POC:
https://gleezcms.org/http%3A%2F%2Fwww.google.com
https://gleezcms.org/gopher%3A%2F%2F127%2E0%2E0%2E1%3A9000%2F%5Ftest
A SQL injection vulnerability in Razor v0.8.0.
In https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/controllers/manage/autoupdate.php#L187,
$description is controlled by users and has few restrictions on its format.
$this->form_validation->set_rules('description', lang('v_man_au_updateLog'), 'trim|required|xss_clean');
$this->form_validation->set_rules('versionid', lang('v_man_au_versionID'), 'trim|required|xss_clean|callback_versionid_check');
//......
$description = $this->input->post('description');