S CMS
by S CMS
CVEs (52)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-51052 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2023 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_formauth parameter at /admin/ajax.php. | ||
| CVE-2023-51051 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2023 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_textauth parameter at /admin/ajax.php. | ||
| CVE-2023-51050 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2023 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_productauth parameter at /admin/ajax.php. | ||
| CVE-2023-51049 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2023 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_bbsauth parameter at /admin/ajax.php. | ||
| CVE-2023-51048 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2023 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_newsauth parameter at /admin/ajax.php. | ||
| CVE-2022-23336 | Cri | 0.64 | 9.8 | 0.01 | Feb 14, 2022 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability in member_pay.php via the O_id parameter. | ||
| CVE-2019-10708 | Cri | 0.64 | 9.8 | 0.03 | Apr 2, 2019 | S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter. | ||
| CVE-2019-6805 | Cri | 0.64 | 9.8 | 0.01 | Jan 25, 2019 | SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi.php O_id parameter. | ||
| CVE-2018-20480 | Cri | 0.64 | 9.8 | 0.01 | Dec 26, 2018 | An issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter. | ||
| CVE-2018-20479 | Cri | 0.64 | 9.8 | 0.01 | Dec 26, 2018 | An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter. | ||
| CVE-2018-20477 | Cri | 0.64 | 9.8 | 0.01 | Dec 26, 2018 | An issue was discovered in S-CMS 3.0. It allows SQL Injection via the bank/callback1.php P_no field. | ||
| CVE-2018-18427 | Cri | 0.64 | 9.8 | 0.01 | Oct 17, 2018 | s-cms 3.0 allows SQL Injection via the member/post.php 0_id parameter or the POST data to member/member_login.php. | ||
| CVE-2011-10009 | Hig | 0.60 | — | 0.02 | Aug 13, 2025 | S40 CMS v0.4.2 contains a path traversal vulnerability in its index.php page handler. The p parameter is not properly sanitized, allowing attackers to traverse the file system and access arbitrary files outside the web root. This can be exploited remotely without authentication… | ||
| CVE-2019-10237 | Hig | 0.57 | 8.8 | 0.01 | Mar 27, 2019 | S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via the 4.edu.php/admin/ajax.php?type=admin&action=add&lang=0 URI, a related issue to CVE-2019-9040. | ||
| CVE-2019-9040 | Hig | 0.57 | 8.8 | 0.01 | Feb 23, 2019 | S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin&action=add URI, a related issue to CVE-2018-19332. | ||
| CVE-2018-19332 | Hig | 0.57 | 8.8 | 0.00 | Nov 17, 2018 | An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability that can add a new user via the admin/ajax.php?type=member&action=add URI. | ||
| CVE-2018-18426 | Hig | 0.57 | 8.8 | 0.02 | Oct 17, 2018 | s-cms 3.0 allows remote attackers to execute arbitrary PHP code by placing this code in a crafted User-agent Disallow value in the robots.php txt parameter. | ||
| CVE-2020-19954 | Hig | 0.49 | 7.5 | 0.01 | Oct 14, 2021 | An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files. | ||
| CVE-2020-20340 | Hig | 0.49 | 7.5 | 0.01 | Sep 1, 2021 | A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information. | ||
| CVE-2018-20478 | Hig | 0.49 | 7.5 | 0.01 | Dec 26, 2018 | An issue was discovered in S-CMS 1.0. It allows reading certain files, such as PHP source code, via the admin/download.php DownName parameter with a mixed-case extension, as demonstrated by a DownName=download.Php value. |
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_formauth parameter at /admin/ajax.php.
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_textauth parameter at /admin/ajax.php.
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_productauth parameter at /admin/ajax.php.
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_bbsauth parameter at /admin/ajax.php.
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_newsauth parameter at /admin/ajax.php.
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability in member_pay.php via the O_id parameter.
- risk 0.64cvss 9.8epss 0.03
S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter.
- risk 0.64cvss 9.8epss 0.01
SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi.php O_id parameter.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in S-CMS 3.0. It allows SQL Injection via the bank/callback1.php P_no field.
- risk 0.64cvss 9.8epss 0.01
s-cms 3.0 allows SQL Injection via the member/post.php 0_id parameter or the POST data to member/member_login.php.
- risk 0.60cvss —epss 0.02
S40 CMS v0.4.2 contains a path traversal vulnerability in its index.php page handler. The p parameter is not properly sanitized, allowing attackers to traverse the file system and access arbitrary files outside the web root. This can be exploited remotely without authentication…
- risk 0.57cvss 8.8epss 0.01
S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via the 4.edu.php/admin/ajax.php?type=admin&action=add&lang=0 URI, a related issue to CVE-2019-9040.
- risk 0.57cvss 8.8epss 0.01
S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin&action=add URI, a related issue to CVE-2018-19332.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability that can add a new user via the admin/ajax.php?type=member&action=add URI.
- risk 0.57cvss 8.8epss 0.02
s-cms 3.0 allows remote attackers to execute arbitrary PHP code by placing this code in a crafted User-agent Disallow value in the robots.php txt parameter.
- risk 0.49cvss 7.5epss 0.01
An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files.
- risk 0.49cvss 7.5epss 0.01
A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in S-CMS 1.0. It allows reading certain files, such as PHP source code, via the admin/download.php DownName parameter with a mixed-case extension, as demonstrated by a DownName=download.Php value.
Page 1 of 3