VYPR

iCMS

by ICMS

CVEs (13)

  • CVE-2023-39806CriAug 10, 2023
    risk 0.64cvss 9.8epss 0.01

    iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the bakupdata function.

  • CVE-2023-39805CriAug 10, 2023
    risk 0.64cvss 9.8epss 0.01

    iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php.

  • CVE-2022-41496CriOct 13, 2022
    risk 0.64cvss 9.8epss 0.01

    iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php.

  • CVE-2021-44978CriFeb 4, 2022
    risk 0.64cvss 9.8epss 0.02

    iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution.

  • CVE-2020-19527CriDec 10, 2020
    risk 0.64cvss 9.8epss 0.02

    iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.

  • CVE-2020-19142CriDec 10, 2020
    risk 0.64cvss 9.8epss 0.02

    iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.

  • CVE-2018-18702CriOct 29, 2018
    risk 0.64cvss 9.8epss 0.01

    spider.admincp.php in iCMS v7.0.11 allows SQL injection via admincp.php?app=spider&do=import_rule because the upfile content is base64 decoded, deserialized, and used for database insertion.

  • CVE-2020-18070CriApr 30, 2021
    risk 0.59cvss 9.1epss 0.02

    Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php".

  • CVE-2020-21141HigNov 12, 2021
    risk 0.57cvss 8.8epss 0.01

    iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add.

  • CVE-2020-26641HigMay 28, 2021
    risk 0.57cvss 8.8epss 0.01

    A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts.

  • CVE-2021-44977HigFeb 4, 2022
    risk 0.49cvss 7.5epss 0.02

    In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files.

  • CVE-2020-24739MedSep 10, 2020
    risk 0.42cvss 6.5epss 0.00

    A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted.

  • CVE-2019-14976MedAug 12, 2019
    risk 0.40cvss 6.1epss 0.01

    iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter.