VYPR

OFCMS

by OFCMS

CVEs (23)

  • CVE-2024-34256CriMay 14, 2024
    risk 0.64cvss 9.8epss 0.01

    OFCMS V1.1.2 is vulnerable to SQL Injection via the new table function.

  • CVE-2023-24760HigMar 16, 2023
    risk 0.57cvss 8.8epss 0.01

    An issue found in Ofcms v.1.1.4 allows a remote attacker to to escalate privileges via the respwd method in SysUserController.

  • CVE-2019-9617HigMar 6, 2019
    risk 0.57cvss 8.8epss 0.03

    An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadFile URI.

  • CVE-2019-9614HigMar 6, 2019
    risk 0.57cvss 8.8epss 0.03

    An issue was discovered in OFCMS before 1.1.3. A command execution vulnerability exists via a template file with '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("' followed by the command.

  • CVE-2019-9612HigMar 6, 2019
    risk 0.57cvss 8.8epss 0.03

    An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/upload URI.

  • CVE-2019-9609HigMar 6, 2019
    risk 0.57cvss 8.8epss 0.03

    An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/editUploadImage URI.

  • CVE-2019-9608HigMar 6, 2019
    risk 0.57cvss 8.8epss 0.03

    An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadImage URI.

  • CVE-2019-9616HigMar 6, 2019
    risk 0.47cvss 7.2epss 0.03

    An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadScrawl URI.

  • CVE-2019-9615HigMar 6, 2019
    risk 0.47cvss 7.2epss 0.01

    An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java.

  • CVE-2019-9613HigMar 6, 2019
    risk 0.47cvss 7.2epss 0.03

    An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadVideo URI.

  • CVE-2024-48236MedOct 25, 2024
    risk 0.42cvss 6.5epss 0.01

    An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the FileOutputStream function in the write String method of the ofcms-admin\src\main\java\com\ofsoft\cms\core\uitle\FileUtils.java file

  • CVE-2024-48235MedOct 25, 2024
    risk 0.42cvss 6.5epss 0.01

    An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the save method of the TemplateController.java file.

  • CVE-2019-9611MedMar 6, 2019
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/template/getTemplates.html?res_path=res directory traversal, with ../ in the dir parameter, to write arbitrary content (in the file_content parameter) into an arbitrary file (specified by the file_name…

  • CVE-2026-10204MedJun 1, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in OFCMS 1.1.3. The affected element is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SysUserController.java of the component JSON Query Interface. This manipulation causes sql injection. The…

  • CVE-2026-10202MedJun 1, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in OFCMS 1.1.3. This issue affects the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemDictController.java of the component JSON Query Interface. The manipulation leads to sql injection. The attack…

  • CVE-2026-10193MedMay 31, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in OFCMS up to 1.1.3. The impacted element is the function Query of the file ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\ComnController.java of the component ComnController. Performing a manipulation of the argument…

  • CVE-2022-29653MedJun 2, 2022
    risk 0.40cvss 6.1epss 0.01

    OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json.

  • CVE-2023-51807MedJan 16, 2024
    risk 0.35cvss 5.4epss 0.00

    Cross Site Scripting vulnerability in OFCMS v.1.14 allows a remote attacker to obtain sensitive information via a crafted payload to the title addition component.

  • CVE-2022-27961MedApr 10, 2022
    risk 0.35cvss 5.4epss 0.00

    A cross-site scripting (XSS) vulnerability at /ofcms/company-c-47 in OFCMS v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment text box.

  • CVE-2022-27960MedApr 10, 2022
    risk 0.35cvss 5.4epss 0.00

    Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' personal information.

Page 1 of 2