CVE Tools

b2evolution

Web & CMS Pluginsoss-project

17

Cumulative CVEs

12

Monthly snapshots

#51

Peak rank

Top products

b2evolution2 b2evolution cms1

Latest CVEs

The 15 most recently published vulnerabilities affecting b2evolution.

CVE-2021-47800b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)5.3Jan 15, 2026
CVE-2022-44036In b2evolution 7.2.5, if configured with admins_can_manipulate_sensitive_files, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this i...7.2Jan 3, 2023
CVE-2022-30935An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker ...9.1Sep 28, 2022
CVE-2021-31632b2evolution CMS v7.2.3 was discovered to contain a SQL injection vulnerability via the parameter cfqueryparam in the User login section. This vulnerability allows attackers to execute arbitrary cod...9.8Dec 6, 2021
CVE-2021-31631b2evolution CMS v7.2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the User login page. This vulnerability allows attackers to escalate privileges.8.8Dec 6, 2021
CVE-2021-28242SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when...8.8Apr 15, 2021
CVE-2020-22839Reflected cross-site scripting vulnerability (XSS) in the evoadm.php file in b2evolution cms version 6.11.6-stable allows remote attackers to inject arbitrary webscript or HTML code via the tab3 pa...6.1Feb 9, 2021
CVE-2020-22841Stored XSS in b2evolution CMS version 6.11.6 and prior allows an attacker to perform malicious JavaScript code execution via the plugin name input field in the plugin module.4.8Feb 9, 2021
CVE-2020-22840Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_p...6.1Feb 9, 2021
CVE-2016-8901b2evolution 6.7.6 suffer from an Object Injection vulnerability in /htsrv/call_plugin.php.9.8May 23, 2019
CVE-2017-1000423b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation (backslash and single quote escape) in basic install functionality resulting in unauthenticated attacker gaining PHP code execut...9.8Jan 2, 2018
CVE-2017-5553Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_markdown.plugin.php in b2evolution before 6.8.5 allows remote authenticated users to inject arbitrary web script or HTML via a j...5.4Jan 23, 2017
CVE-2017-5539The patch for directory traversal (CVE-2017-5480) in b2evolution version 6.8.4-stable has a bypass vulnerability. An attacker can use ..\/ to bypass the filter rule. Then, this attacker can exploit...9.1Jan 23, 2017
CVE-2016-7150Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name.5.4Jan 18, 2017
CVE-2016-7149Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to the autolink function.6.1Jan 18, 2017