These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2017-5520 is a high-severity file handling flaw in GeniXCMS through 0.0.8. According to the CVE record, the media rename feature does not account for alternative PHP file extensions when checking uploaded files for PHP content. That gap can allow a user with the needed application access to rename a file to .php6, .php7, or .phtml and have it executed by the server. NVD rates the issue CVSS 3.0 8.8 wi [truncated]
CVE-2017-5519 is a critical SQL injection vulnerability affecting GeniXCMS through version 0.0.8. The issue is in Posts.class.php and can be triggered remotely through the id parameter, allowing an attacker to execute arbitrary SQL commands. NVD rates the flaw as CVSS 3.0 9.8 with no privileges or user interaction required.
CVE-2017-5518 describes a server-side request forgery (SSRF) weakness in the GeniXCMS media-file upload feature affecting versions through 0.0.8. The issue can let a remote attacker submit a URL that causes the application to make unexpected server-side requests, including toward intranet addresses. NVD assigns CWE-918 and a HIGH severity score (CVSS 3.0: 7.4), reflecting the potential for impact beyond t [truncated]
CVE-2017-5517 is a critical SQL injection flaw in GeniXCMS’s author.control.php. According to the NVD record, a remote attacker can abuse the type parameter to execute arbitrary SQL commands, with no authentication or user interaction required.
CVE-2017-5516 is a medium-severity cross-site scripting issue affecting GeniXCMS through version 0.0.8. The vulnerability is described as multiple XSS flaws in user forms that allow an attacker to inject arbitrary web script or HTML via crafted parameters. Because the attack requires user interaction but no privileges, it is especially important for any internet-facing deployment that accepts form input f [truncated]
CVE-2017-5515 is a medium-severity cross-site scripting issue affecting GeniXCMS through version 0.0.8. According to the published description and NVD metadata, a remote authenticated user can inject arbitrary web script or HTML through tag names in the user prompt function. The CVSS 3.0 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network reachability, low attack complexity, low privileges, and [truncated]