Filtered by vendor 1000mz
Subscribe
Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-57450 | 1 1000mz | 1 Chestnutcms | 2025-05-13 | N/A | 9.8 CRITICAL |
| ChestnutCMS <=1.5.0 is vulnerable to File Upload via the Create template function. | |||||
| CVE-2024-57452 | 1 1000mz | 1 Chestnutcms | 2025-05-13 | N/A | 7.5 HIGH |
| ChestnutCMS <=1.5.0 has an arbitrary file deletion vulnerability in contentcore.controller.FileController, which allows attackers to delete any file and folder. | |||||
| CVE-2024-57451 | 1 1000mz | 1 Chestnutcms | 2025-05-13 | N/A | 7.5 HIGH |
| ChestnutCMS <=1.5.0 has a directory traversal vulnerability in contentcore.controller.FileController#getFileList, which allows attackers to view any directory. | |||||
| CVE-2025-2031 | 1 1000mz | 1 Chestnutcms | 2025-05-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in ChestnutCMS up to 1.5.2. This affects the function uploadFile of the file /dev-api/cms/file/upload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2032 | 1 1000mz | 1 Chestnutcms | 2025-05-12 | 2.7 LOW | 3.5 LOW |
| A vulnerability classified as problematic was found in ChestnutCMS 1.5.2. This vulnerability affects the function renameFile of the file /cms/file/rename. The manipulation of the argument rename leads to path traversal. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-56828 | 1 1000mz | 1 Chestnutcms | 2025-04-21 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then passed to the memberService.uploadAvatarByBase64 method for processing. Within the service, the base64-encoded image is parsed. For example, given a string like: data:image/html;base64,PGh0bWw+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPjwvaHRtbD4= the content after the comma is extracted and decoded using Base64.getDecoder().decode(). The substring from the 11th character up to the first occurrence of a semicolon (;) is assigned to the suffix variable (representing the file extension). The decoded content is then written to a file. However, the file extension is not validated, and since this functionality is exposed to the frontend, it poses significant security risks. | |||||