VYPR

SLiMS 8 Akasia

by Slims

CVEs (7)

  • CVE-2018-12659HigJun 22, 2018
    risk 0.57cvss 8.8epss 0.01

    SLiMS 8 Akasia 8.3.1 allows remote attackers to bypass the CSRF protection mechanism and obtain admin access by omitting the csrf_token parameter.

  • CVE-2017-12585HigAug 6, 2017
    risk 0.57cvss 8.8epss 0.02

    SLiMS 8 Akasia through 8.3.1 has SQL injection in admin/AJAX_lookup_handler.php (tableName and tableFields parameters), admin/AJAX_check_id.php, and admin/AJAX_vocabolary_control.php. It can be exploited by remote authenticated librarian users.

  • CVE-2017-12584HigAug 6, 2017
    risk 0.57cvss 8.8epss 0.01

    There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete…

  • CVE-2017-12586MedAug 6, 2017
    risk 0.42cvss 6.5epss 0.03

    SLiMS 8 Akasia through 8.3.1 has an arbitrary file reading issue because of directory traversal in the url parameter to admin/help.php. It can be exploited by remote authenticated librarian users.

  • CVE-2018-12657MedJun 22, 2018
    risk 0.40cvss 6.1epss 0.01

    Reflected Cross-Site Scripting (XSS) exists in the Master File module in SLiMS 8 Akasia 8.3.1 via an admin/modules/master_file/rda_cmc.php?keywords= URI.

  • CVE-2018-12656MedJun 22, 2018
    risk 0.40cvss 6.1epss 0.01

    Reflected Cross-Site Scripting (XSS) exists in the Membership module in SLiMS 8 Akasia 8.3.1 via an admin/modules/membership/index.php?keywords= URI.

  • CVE-2021-45791Mar 17, 2022
    risk 0.00cvss epss 0.01

    Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/member_type.php, /admin/modules/system/user_group.php, and /admin/modules/membership/index.php through the dir parameter. It can be used by remotely authenticated…