Maven package
net.mingsoft/ms-mcms
pkg:maven/net.mingsoft/ms-mcms
Vulnerabilities (39)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-26585 | — | <= 5.2.7 | — | Apr 5, 2022 | Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list. | ||
| CVE-2021-46384 | — | < 5.2.6 | 5.2.6 | Mar 4, 2022 | https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: RCE. The impact is: execute arbitrary code (remote). The attack vector is: ${"freemarker.template.utility.Execute"?new()("calc")}. ¶¶ MCMS has a pre-auth RCE vulnerability through which allows unauthenticated attacker w | ||
| CVE-2022-23899 | — | <= 5.2.5 | — | Mar 3, 2022 | MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java. | ||
| CVE-2022-23898 | — | <= 5.2.5 | — | Mar 3, 2022 | MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml. | ||
| CVE-2021-46063 | — | <= 5.2.5 | — | Feb 18, 2022 | MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module. | ||
| CVE-2021-46062 | — | < 5.2.11 | 5.2.11 | Feb 18, 2022 | MCMS v5.2.5 was discovered to contain an arbitrary file deletion vulnerability via the component oldFileName. | ||
| CVE-2021-46037 | — | <= 5.2.4 | — | Feb 18, 2022 | MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulnerability via the component /template/unzip.do. | ||
| CVE-2021-46036 | — | <= 5.2.4 | — | Feb 18, 2022 | An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 allows attackers to execute arbitrary code. | ||
| CVE-2021-44868 | — | <= 5.1 | — | Feb 17, 2022 | A problem was found in ming-soft MCMS v5.1. There is a sql injection vulnerability in /ms/cms/content/list.do | ||
| CVE-2021-46385 | — | <= 5.2.5 | — | Jan 26, 2022 | https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.FormDataAction#queryData. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability th | ||
| CVE-2021-46383 | — | < 5.2.6 | 5.2.6 | Jan 26, 2022 | https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.web.DictAction#list. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability through | ||
| CVE-2021-46386 | — | <= 5.2.5 | — | Jan 26, 2022 | File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload. | ||
| CVE-2022-22930 | — | < 5.2.9 | 5.2.9 | Jan 20, 2022 | A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code via a crafted payload. | ||
| CVE-2022-23315 | — | <= 5.2.4 | — | Jan 20, 2022 | MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do. | ||
| CVE-2022-22929 | — | <= 5.2.4 | — | Jan 20, 2022 | MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file. | ||
| CVE-2020-23262 | — | < 5.1 | 5.1 | Jan 22, 2021 | An issue was discovered in ming-soft MCMS v5.0, where a malicious user can exploit SQL injection without logging in through /mcms/view.do. | ||
| CVE-2018-18831 | — | <= 4.6.5 | — | Oct 30, 2018 | An issue was discovered in com\mingsoft\cms\action\GeneraterAction.java in MCMS 4.6.5. An attacker can write a .jsp file (in the position parameter) to an arbitrary directory via a ../ Directory Traversal in the url parameter. | ||
| CVE-2018-18830 | — | <= 4.6.5 | — | Oct 30, 2018 | An issue was discovered in com\mingsoft\basic\action\web\FileAction.java in MCMS 4.6.5. Since the upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First, start an upload of JSP code with a .png filename, | ||
| CVE-2018-17366 | — | <= 4.6.5 | — | Sep 23, 2018 | An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. |
- CVE-2022-26585Apr 5, 2022affected <= 5.2.7
Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list.
- CVE-2021-46384Mar 4, 2022affected < 5.2.6fixed 5.2.6
https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: RCE. The impact is: execute arbitrary code (remote). The attack vector is: ${"freemarker.template.utility.Execute"?new()("calc")}. ¶¶ MCMS has a pre-auth RCE vulnerability through which allows unauthenticated attacker w
- CVE-2022-23899Mar 3, 2022affected <= 5.2.5
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java.
- CVE-2022-23898Mar 3, 2022affected <= 5.2.5
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.
- CVE-2021-46063Feb 18, 2022affected <= 5.2.5
MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module.
- CVE-2021-46062Feb 18, 2022affected < 5.2.11fixed 5.2.11
MCMS v5.2.5 was discovered to contain an arbitrary file deletion vulnerability via the component oldFileName.
- CVE-2021-46037Feb 18, 2022affected <= 5.2.4
MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulnerability via the component /template/unzip.do.
- CVE-2021-46036Feb 18, 2022affected <= 5.2.4
An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 allows attackers to execute arbitrary code.
- CVE-2021-44868Feb 17, 2022affected <= 5.1
A problem was found in ming-soft MCMS v5.1. There is a sql injection vulnerability in /ms/cms/content/list.do
- CVE-2021-46385Jan 26, 2022affected <= 5.2.5
https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.FormDataAction#queryData. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability th
- CVE-2021-46383Jan 26, 2022affected < 5.2.6fixed 5.2.6
https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.web.DictAction#list. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability through
- CVE-2021-46386Jan 26, 2022affected <= 5.2.5
File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload.
- CVE-2022-22930Jan 20, 2022affected < 5.2.9fixed 5.2.9
A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code via a crafted payload.
- CVE-2022-23315Jan 20, 2022affected <= 5.2.4
MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do.
- CVE-2022-22929Jan 20, 2022affected <= 5.2.4
MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file.
- CVE-2020-23262Jan 22, 2021affected < 5.1fixed 5.1
An issue was discovered in ming-soft MCMS v5.0, where a malicious user can exploit SQL injection without logging in through /mcms/view.do.
- CVE-2018-18831Oct 30, 2018affected <= 4.6.5
An issue was discovered in com\mingsoft\cms\action\GeneraterAction.java in MCMS 4.6.5. An attacker can write a .jsp file (in the position parameter) to an arbitrary directory via a ../ Directory Traversal in the url parameter.
- CVE-2018-18830Oct 30, 2018affected <= 4.6.5
An issue was discovered in com\mingsoft\basic\action\web\FileAction.java in MCMS 4.6.5. Since the upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First, start an upload of JSP code with a .png filename,
- CVE-2018-17366Sep 23, 2018affected <= 4.6.5
An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
Page 2 of 2