Icms
by Idreamsoft
Source repositories
CVEs (51)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-30661 | 0.00 | — | 0.00 | Mar 24, 2026 | iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters. | |||
| CVE-2023-42322 | 0.00 | — | 0.01 | Sep 20, 2023 | Insecure Permissions vulnerability in icmsdev iCMS v.7.0.16 allows a remote attacker to obtain sensitive information. | |||
| CVE-2023-42321 | 0.00 | — | 0.00 | Sep 20, 2023 | Cross Site Request Forgery (CSRF) vulnerability in icmsdev iCMSv.7.0.16 allows a remote attacker to execute arbitrary code via the user.admincp.php, members.admincp.php, and group.admincp.php files. | |||
| CVE-2023-40953 | 0.00 | — | 0.00 | Sep 8, 2023 | icms 7.0.16 is vulnerable to Cross Site Request Forgery (CSRF). | |||
| CVE-2023-39805 | 0.00 | — | 0.01 | Aug 10, 2023 | iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php. | |||
| CVE-2023-39806 | 0.00 | — | 0.01 | Aug 10, 2023 | iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the bakupdata function. | |||
| CVE-2022-41496 | 0.00 | — | 0.01 | Oct 13, 2022 | iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php. | |||
| CVE-2021-44977 | 0.00 | — | 0.02 | Feb 4, 2022 | In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files. | |||
| CVE-2020-21141 | 0.00 | — | 0.01 | Nov 12, 2021 | iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add. | |||
| CVE-2020-26641 | 0.00 | — | 0.01 | May 28, 2021 | A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts. | |||
| CVE-2020-18070 | 0.00 | — | 0.02 | Apr 29, 2021 | Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php". | |||
| CVE-2020-19142 | 0.00 | — | 0.02 | Dec 10, 2020 | iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php. | |||
| CVE-2020-19527 | 0.00 | — | 0.02 | Dec 10, 2020 | iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php. | |||
| CVE-2020-24739 | 0.00 | — | 0.00 | Sep 10, 2020 | A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. | |||
| CVE-2019-17583 | 0.00 | — | 0.01 | Oct 14, 2019 | idreamsoft iCMS 7.0.15 allows remote attackers to cause a denial of service (resource consumption) via a query for many comments, as demonstrated by the admincp.php?app=comment&perpage= substring followed by a large positive integer. | |||
| CVE-2019-17552 | 0.00 | — | 0.01 | Oct 14, 2019 | An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload. | |||
| CVE-2019-16677 | 0.00 | — | 0.00 | Sep 21, 2019 | An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF. | |||
| CVE-2019-14976 | 0.00 | — | 0.01 | Aug 12, 2019 | iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter. | |||
| CVE-2019-11427 | 0.00 | — | 0.01 | Apr 21, 2019 | An XSS issue was discovered in app/search/search.app.php in idreamsoft iCMS 7.0.14 via the public/api.php?app=search q parameter. | |||
| CVE-2019-11426 | 0.00 | — | 0.01 | Apr 21, 2019 | An XSS issue was discovered in app/admincp/template/admincp.header.php in idreamsoft iCMS 7.0.14 via the admincp.php?app=config tab parameter. |
- CVE-2026-30661Mar 24, 2026risk 0.00cvss —epss 0.00
iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters.
- CVE-2023-42322Sep 20, 2023risk 0.00cvss —epss 0.01
Insecure Permissions vulnerability in icmsdev iCMS v.7.0.16 allows a remote attacker to obtain sensitive information.
- CVE-2023-42321Sep 20, 2023risk 0.00cvss —epss 0.00
Cross Site Request Forgery (CSRF) vulnerability in icmsdev iCMSv.7.0.16 allows a remote attacker to execute arbitrary code via the user.admincp.php, members.admincp.php, and group.admincp.php files.
- CVE-2023-40953Sep 8, 2023risk 0.00cvss —epss 0.00
icms 7.0.16 is vulnerable to Cross Site Request Forgery (CSRF).
- CVE-2023-39805Aug 10, 2023risk 0.00cvss —epss 0.01
iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php.
- CVE-2023-39806Aug 10, 2023risk 0.00cvss —epss 0.01
iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the bakupdata function.
- CVE-2022-41496Oct 13, 2022risk 0.00cvss —epss 0.01
iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php.
- CVE-2021-44977Feb 4, 2022risk 0.00cvss —epss 0.02
In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files.
- CVE-2020-21141Nov 12, 2021risk 0.00cvss —epss 0.01
iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add.
- CVE-2020-26641May 28, 2021risk 0.00cvss —epss 0.01
A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts.
- CVE-2020-18070Apr 29, 2021risk 0.00cvss —epss 0.02
Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php".
- CVE-2020-19142Dec 10, 2020risk 0.00cvss —epss 0.02
iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.
- CVE-2020-19527Dec 10, 2020risk 0.00cvss —epss 0.02
iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.
- CVE-2020-24739Sep 10, 2020risk 0.00cvss —epss 0.00
A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted.
- CVE-2019-17583Oct 14, 2019risk 0.00cvss —epss 0.01
idreamsoft iCMS 7.0.15 allows remote attackers to cause a denial of service (resource consumption) via a query for many comments, as demonstrated by the admincp.php?app=comment&perpage= substring followed by a large positive integer.
- CVE-2019-17552Oct 14, 2019risk 0.00cvss —epss 0.01
An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload.
- CVE-2019-16677Sep 21, 2019risk 0.00cvss —epss 0.00
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
- CVE-2019-14976Aug 12, 2019risk 0.00cvss —epss 0.01
iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter.
- CVE-2019-11427Apr 21, 2019risk 0.00cvss —epss 0.01
An XSS issue was discovered in app/search/search.app.php in idreamsoft iCMS 7.0.14 via the public/api.php?app=search q parameter.
- CVE-2019-11426Apr 21, 2019risk 0.00cvss —epss 0.01
An XSS issue was discovered in app/admincp/template/admincp.header.php in idreamsoft iCMS 7.0.14 via the admincp.php?app=config tab parameter.
Page 2 of 3