Security advisories

Date: 2024-04-09
CVE ID: CVE-2024-28235

If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.

Date: 2024-04-09
CVE ID: CVE-2024-28190

Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the back end.

Date: 2024-04-09
CVE ID: CVE-2024-28191

It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.

Date: 2024-04-09
CVE ID: CVE-2024-30262

When a front end member changes their password, the corresponding remember-me tokens are not removed.

Date: 2024-04-09
CVE ID: CVE-2024-28234

If BBCode is enabled for comments, users can inject CSS styles.

Date: 2023-07-25
CVE ID: CVE-2023-36806

Authenticated users can inject malicious code in widgets with units.

Date: 2023-04-25
CVE ID: CVE-2023-29200

Authenticated users in the back end can list files outside the document root in the file manager.

Date: 2022-05-05
CVE ID: CVE-2022-24899

Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).

Date: 2021-08-11
CVE ID: CVE-2021-37627

It is possible for untrusted users to gain administrator rights with the form generator.

Date: 2021-08-11
CVE ID: CVE-2021-37626

It is possible for untrusted users to load arbitrary PHP files via insert tags.