Metinfo
By the Year
In 2024 there have been 0 vulnerabilities in Metinfo . Metinfo did not have any published security vulnerabilities last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 0 | 0.00 |
2022 | 3 | 9.47 |
2021 | 13 | 8.29 |
2020 | 1 | 9.80 |
2019 | 8 | 8.04 |
2018 | 18 | 6.62 |
It may take a day or so for new Metinfo vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Metinfo Security Vulnerabilities
A Cross-Site Request Forgery (CSRF) in the Administrator List of MetInfo v7.7
CVE-2022-44849
8.8 - High
- December 07, 2022
A Cross-Site Request Forgery (CSRF) in the Administrator List of MetInfo v7.7 allows attackers to arbitrarily add Super Administrator account.
Session Riding
Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in parameter_admin.class.php
CVE-2022-22295
9.8 - Critical
- February 14, 2022
Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in parameter_admin.class.php via the table_para parameter.
SQL Injection
Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in language_general.class.php
CVE-2022-23335
9.8 - Critical
- February 14, 2022
Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in language_general.class.php via doModifyParameter.
SQL Injection
MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn.
CVE-2020-20600
5.4 - Medium
- December 22, 2021
MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn.
XSS
MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF)
CVE-2020-21126
8.8 - High
- September 15, 2021
MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.
Session Riding
MetInfo 7.0.0 contains a SQL injection vulnerability
CVE-2020-21127
9.8 - Critical
- September 15, 2021
MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel.
SQL Injection
A SQL injection in the /admin/?n=logs&c=index&a=dolist component of Metinfo 7.0
CVE-2020-20981
7.5 - High
- August 12, 2021
A SQL injection in the /admin/?n=logs&c=index&a=dolist component of Metinfo 7.0 allows attackers to access sensitive database information.
SQL Injection
An issue in /admin/index.php?n=system&c=filept&a=doGetFileList of Metinfo v7.0.0
CVE-2020-19304
7.5 - High
- August 03, 2021
An issue in /admin/index.php?n=system&c=filept&a=doGetFileList of Metinfo v7.0.0 allows attackers to perform a directory traversal and access sensitive information.
Directory traversal
An issue in /app/system/column/admin/index.class.php of Metinfo v7.0.0 causes the indeximg parameter to be deleted when the column is deleted
CVE-2020-19305
9.8 - Critical
- August 03, 2021
An issue in /app/system/column/admin/index.class.php of Metinfo v7.0.0 causes the indeximg parameter to be deleted when the column is deleted, allowing attackers to escalate privileges.
Directory traversal
SQL Injection vulnerability in Metinfo 6.1.3
CVE-2020-18175
9.8 - Critical
- July 30, 2021
SQL Injection vulnerability in Metinfo 6.1.3 via a dosafety_emailadd action in basic.php.
SQL Injection
Cross Site Request Forgery (CSRF) vulnerability in MetInfo 6.1.3
CVE-2020-18157
8.8 - High
- July 30, 2021
Cross Site Request Forgery (CSRF) vulnerability in MetInfo 6.1.3 via a doaddsave action in admin/index.php.
Session Riding
SQL Injection vulnerability in MetInfo 7.0.0beta
CVE-2020-21131
7.2 - High
- July 12, 2021
SQL Injection vulnerability in MetInfo 7.0.0beta via admin/?n=language&c=language_web&a=doAddLanguage.
SQL Injection
SQL Injection vulnerability in Metinfo 7.0.0beta in index.php.
CVE-2020-21132
9.8 - Critical
- July 12, 2021
SQL Injection vulnerability in Metinfo 7.0.0beta in index.php.
SQL Injection
SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid.
CVE-2020-21133
9.8 - Critical
- July 12, 2021
SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid.
SQL Injection
A blind SQL injection in /admin/?n=logs&c=index&a=dode of Metinfo 7.0 beta
CVE-2020-20585
7.5 - High
- July 08, 2021
A blind SQL injection in /admin/?n=logs&c=index&a=dode of Metinfo 7.0 beta allows attackers to access sensitive database information.
SQL Injection
Cross Site Scripting (XSS) vulnerability in MetInfo 7.0.0
CVE-2020-21517
6.1 - Medium
- June 21, 2021
Cross Site Scripting (XSS) vulnerability in MetInfo 7.0.0 via the gourl parameter in login.php.
XSS
An issue was discovered in MetInfo v7.0.0 beta
CVE-2020-20800
9.8 - Critical
- September 30, 2020
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the install/index.php?action=adminsetup&cndata=yes&endata=yes&showdata=yes URI.
SQL Injection
app/system/admin/admin/index.class.php in MetInfo 7.0.0beta
CVE-2019-17676
8.8 - High
- October 17, 2019
app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.
Session Riding
An issue was discovered in MetInfo v7.0.0 beta
CVE-2019-17553
9.8 - Critical
- October 14, 2019
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.
SQL Injection
An issue was discovered in MetInfo 7.0
CVE-2019-17419
7.2 - High
- October 10, 2019
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter.
SQL Injection
An issue was discovered in MetInfo 7.0
CVE-2019-17418
7.2 - High
- October 10, 2019
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997.
SQL Injection
In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/language/admin/language_general.class.php
CVE-2019-16997
7.2 - High
- September 30, 2019
In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/language/admin/language_general.class.php via the admin/?n=language&c=language_general&a=doExportPack appno parameter.
SQL Injection
In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/product/admin/product_admin.class.php
CVE-2019-16996
7.2 - High
- September 30, 2019
In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/product/admin/product_admin.class.php via the admin/?n=product&c=product_admin&a=dopara&app_type=shop id parameter.
SQL Injection
Metinfo 6.x allows SQL Injection
CVE-2019-13969
8.8 - High
- July 19, 2019
Metinfo 6.x allows SQL Injection via the id parameter in an admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1 request.
SQL Injection
An issue was discovered in Metinfo 6.x
CVE-2019-7718
8.1 - High
- February 11, 2019
An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=<?php and admin/databack/bakup_tables.php?2=file_put_contents URIs because app/system/databack/admin/index.class.php creates bakup_tables.php temporarily.
Race Condition
MetInfo 6.x through 6.1.3 has XSS
CVE-2018-20486
6.1 - Medium
- December 26, 2018
MetInfo 6.x through 6.1.3 has XSS via the /admin/login/login_check.php url_array[] parameter.
XSS
In Metinfo 6.1.3, include/interface/applogin.php
CVE-2018-19836
6.1 - Medium
- December 03, 2018
In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and common.inc.php allows registering variables from the $_COOKIE value. This issue can, for example, be exploited in conjunction with CVE-2018-19835 to bypass many XSS filters such as the Chrome XSS filter.
Incorrect Permission Assignment for Critical Resource
Metinfo 6.1.3 has reflected XSS
CVE-2018-19835
6.1 - Medium
- December 03, 2018
Metinfo 6.1.3 has reflected XSS via the admin/column/move.php lang_columnerr4 parameter.
XSS
MetInfo 6.1.3 has XSS
CVE-2018-19051
6.1 - Medium
- November 07, 2018
MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword abt_type parameter.
XSS
MetInfo 6.1.3 has XSS
CVE-2018-19050
6.1 - Medium
- November 07, 2018
MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword langset parameter.
XSS
XSS exists in the MetInfo 6.1.2 admin/index.php page
CVE-2018-18374
5.4 - Medium
- October 16, 2018
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
XSS
MetInfo 6.1.2 has XSS
CVE-2018-18296
6.1 - Medium
- October 15, 2018
MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in an n=column&a=doadd action.
XSS
MetInfo 6.1.0 has SQL injection in doexport() in app/system/feedback/admin/feedback_admin.class.php
CVE-2018-17129
4.9 - Medium
- September 17, 2018
MetInfo 6.1.0 has SQL injection in doexport() in app/system/feedback/admin/feedback_admin.class.php via the class1 field.
SQL Injection
MetInfo 6.0.0 allows a CSRF attack to add a user account
CVE-2018-14420
8.8 - High
- July 20, 2018
MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.
Session Riding
MetInfo 6.0.0 allows XSS
CVE-2018-14419
4.8 - Medium
- July 20, 2018
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.
XSS
Metinfo v6.0.0 allows remote attackers to write code into a .php file, and execute
CVE-2018-13024
7.2 - High
- June 29, 2018
Metinfo v6.0.0 allows remote attackers to write code into a .php file, and execute that code, via the module parameter to admin/column/save.php in an editor upload action.
Unrestricted File Upload
An issue was discovered in MetInfo 6.0.0
CVE-2018-12531
9.8 - Critical
- June 18, 2018
An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271.
Code Injection
An issue was discovered in MetInfo 6.0.0
CVE-2018-12530
6.5 - Medium
- June 18, 2018
An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF.
Directory traversal
The front page of MetInfo 6.0
CVE-2018-9985
6.1 - Medium
- April 10, 2018
The front page of MetInfo 6.0 allows XSS by sending a feedback message to an administrator.
XSS
The reset-password feature in MetInfo 6.0 allows remote attackers to change arbitrary passwords via vectors involving a Host HTTP header
CVE-2018-9934
8.8 - High
- April 10, 2018
The reset-password feature in MetInfo 6.0 allows remote attackers to change arbitrary passwords via vectors involving a Host HTTP header that is modified to specify a web server under the attacker's control.
Cross-site scripting (XSS) vulnerability in save.php in MetInfo 6.0
CVE-2018-9928
6.1 - Medium
- April 10, 2018
Cross-site scripting (XSS) vulnerability in save.php in MetInfo 6.0 allows remote attackers to inject arbitrary web script or HTML via the webname or weburl parameter.
XSS
Cross Site Scripting (XSS) exists in MetInfo 6.0.0 via /feedback/index.php
CVE-2018-7721
6.1 - Medium
- March 07, 2018
Cross Site Scripting (XSS) exists in MetInfo 6.0.0 via /feedback/index.php because app/system/feedback/web/feedback.class.php mishandles input data.
XSS
An issue was discovered in MetInfo 6.0.0
CVE-2018-7271
8.1 - High
- February 21, 2018
An issue was discovered in MetInfo 6.0.0. In install/install.php in the installation process, the config/config_db.php configuration file filtering is not rigorous: one can insert malicious code in the installation process to execute arbitrary commands or obtain a web shell.
Code Injection