CMS
by Siteserver
Source repositories
CVEs (63)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-32343 | 0.00 | — | 0.00 | Apr 17, 2024 | A cross-site scripting (XSS) vulnerability in the Create Page of Boid CMS v2.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter. | |||
| CVE-2024-30614 | 0.00 | — | 0.00 | Apr 12, 2024 | An issue in Ametys CMS v4.5.0 and before allows attackers to obtain sensitive information via exposed resources to the error scope. | |||
| CVE-2023-2862 | 0.00 | — | 0.01 | May 24, 2023 | A vulnerability, which was classified as problematic, was found in SiteServer CMS up to 7.2.1. Affected is an unknown function of the file /api/stl/actions/search. The manipulation of the argument ajaxDivId leads to cross site scripting. It is possible to launch the attack… | |||
| CVE-2022-44298 | 0.00 | — | 0.01 | Jan 27, 2023 | SiteServer CMS 7.1.3 is vulnerable to SQL Injection. | |||
| CVE-2022-44297 | 0.00 | — | 0.01 | Jan 26, 2023 | SiteServer CMS 7.1.3 has a SQL injection vulnerability the background. | |||
| CVE-2020-35597 | 0.00 | — | 0.01 | Jun 16, 2022 | Victor CMS 1.0 is vulnerable to SQL injection via c_id parameter of admin_edit_comment.php, p_id parameter of admin_edit_post.php, u_id parameter of admin_edit_user.php, and edit parameter of admin_update_categories.php. | |||
| CVE-2021-42655 | 0.00 | — | 0.01 | May 24, 2022 | SiteServer CMS V6.15.51 is affected by a SQL injection vulnerability. | |||
| CVE-2021-42654 | 0.00 | — | 0.02 | May 24, 2022 | SiteServer CMS < V5.1 is affected by an unrestricted upload of a file with dangerous type (getshell), which could be used to execute arbitrary code. | |||
| CVE-2020-28960 | 0.00 | — | 0.02 | Oct 22, 2021 | Chichen Tech CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the file product_list.php via the id and cid parameters. | |||
| CVE-2020-20122 | 0.00 | — | 0.01 | Sep 28, 2021 | Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php. | |||
| CVE-2020-19155 | 0.00 | — | 0.07 | Sep 15, 2021 | Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information and/or execute arbitrary code via the 'FileManager.rename()' function in the component 'modules/filemanager/FileManagerController.java'. | |||
| CVE-2020-19154 | 0.00 | — | 0.04 | Sep 15, 2021 | Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'FileManager.editFile()' function in the component 'modules/filemanager/FileManagerController.java'. | |||
| CVE-2020-19148 | 0.00 | — | 0.01 | Sep 15, 2021 | Cross Site Scripting (XSS) in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code via the 'Nickname' parameter in the component '/jfinal_cms/front/person/profile.html'. | |||
| CVE-2020-19146 | 0.00 | — | 0.02 | Sep 15, 2021 | Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'TemplatePath' parameter in the component 'jfinal_cms/admin/folder/list'. | |||
| CVE-2020-21976 | 0.00 | — | 0.02 | Aug 11, 2021 | An arbitrary file upload in the component of NewsOne CMS v1.1.0 allows attackers to webshell and execute arbitrary commands. | |||
| CVE-2020-23715 | 0.00 | — | 0.02 | Jun 28, 2021 | Directory Traversal vulnerability in Webport CMS 1.19.10.17121 via the file parameter to file/download. | |||
| CVE-2020-23962 | 0.00 | — | 0.01 | Jun 23, 2021 | A cross site scripting (XSS) vulnerability in Catfish CMS 4.9.90 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "announcement_gonggao" parameter. | |||
| CVE-2020-35126 | 0.00 | — | 0.01 | Dec 11, 2020 | Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy. | |||
| CVE-2020-26042 | 0.00 | — | 0.01 | Sep 29, 2020 | An issue was discovered in Hoosk CMS v1.8.0. There is a SQL injection vulnerability in install/index.php | |||
| CVE-2019-11401 | 0.00 | — | 0.03 | Apr 21, 2019 | A issue was discovered in SiteServer CMS 6.9.0. It allows remote attackers to execute arbitrary code because an administrator can add the permitted file extension .aassp, which is converted to .asp because the "as" substring is deleted. |
- CVE-2024-32343Apr 17, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Create Page of Boid CMS v2.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter.
- CVE-2024-30614Apr 12, 2024risk 0.00cvss —epss 0.00
An issue in Ametys CMS v4.5.0 and before allows attackers to obtain sensitive information via exposed resources to the error scope.
- CVE-2023-2862May 24, 2023risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in SiteServer CMS up to 7.2.1. Affected is an unknown function of the file /api/stl/actions/search. The manipulation of the argument ajaxDivId leads to cross site scripting. It is possible to launch the attack…
- CVE-2022-44298Jan 27, 2023risk 0.00cvss —epss 0.01
SiteServer CMS 7.1.3 is vulnerable to SQL Injection.
- CVE-2022-44297Jan 26, 2023risk 0.00cvss —epss 0.01
SiteServer CMS 7.1.3 has a SQL injection vulnerability the background.
- CVE-2020-35597Jun 16, 2022risk 0.00cvss —epss 0.01
Victor CMS 1.0 is vulnerable to SQL injection via c_id parameter of admin_edit_comment.php, p_id parameter of admin_edit_post.php, u_id parameter of admin_edit_user.php, and edit parameter of admin_update_categories.php.
- CVE-2021-42655May 24, 2022risk 0.00cvss —epss 0.01
SiteServer CMS V6.15.51 is affected by a SQL injection vulnerability.
- CVE-2021-42654May 24, 2022risk 0.00cvss —epss 0.02
SiteServer CMS < V5.1 is affected by an unrestricted upload of a file with dangerous type (getshell), which could be used to execute arbitrary code.
- CVE-2020-28960Oct 22, 2021risk 0.00cvss —epss 0.02
Chichen Tech CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the file product_list.php via the id and cid parameters.
- CVE-2020-20122Sep 28, 2021risk 0.00cvss —epss 0.01
Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php.
- CVE-2020-19155Sep 15, 2021risk 0.00cvss —epss 0.07
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information and/or execute arbitrary code via the 'FileManager.rename()' function in the component 'modules/filemanager/FileManagerController.java'.
- CVE-2020-19154Sep 15, 2021risk 0.00cvss —epss 0.04
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'FileManager.editFile()' function in the component 'modules/filemanager/FileManagerController.java'.
- CVE-2020-19148Sep 15, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code via the 'Nickname' parameter in the component '/jfinal_cms/front/person/profile.html'.
- CVE-2020-19146Sep 15, 2021risk 0.00cvss —epss 0.02
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'TemplatePath' parameter in the component 'jfinal_cms/admin/folder/list'.
- CVE-2020-21976Aug 11, 2021risk 0.00cvss —epss 0.02
An arbitrary file upload in the component of NewsOne CMS v1.1.0 allows attackers to webshell and execute arbitrary commands.
- CVE-2020-23715Jun 28, 2021risk 0.00cvss —epss 0.02
Directory Traversal vulnerability in Webport CMS 1.19.10.17121 via the file parameter to file/download.
- CVE-2020-23962Jun 23, 2021risk 0.00cvss —epss 0.01
A cross site scripting (XSS) vulnerability in Catfish CMS 4.9.90 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "announcement_gonggao" parameter.
- CVE-2020-35126Dec 11, 2020risk 0.00cvss —epss 0.01
Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy.
- CVE-2020-26042Sep 29, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Hoosk CMS v1.8.0. There is a SQL injection vulnerability in install/index.php
- CVE-2019-11401Apr 21, 2019risk 0.00cvss —epss 0.03
A issue was discovered in SiteServer CMS 6.9.0. It allows remote attackers to execute arbitrary code because an administrator can add the permitted file extension .aassp, which is converted to .asp because the "as" substring is deleted.
Page 3 of 4