VYPR

Cscms

by Cscms

CVEs (24)

  • CVE-2020-28103CriJan 11, 2022
    risk 0.64cvss 9.8epss 0.01

    cscms v4.1 allows for SQL injection via the "page_del" function.

  • CVE-2020-28102CriJan 11, 2022
    risk 0.64cvss 9.8epss 0.01

    cscms v4.1 allows for SQL injection via the "js_del" function.

  • CVE-2020-21238CriDec 27, 2021
    risk 0.64cvss 9.8epss 0.01

    An issue in the user login box of CSCMS v4.0 allows attackers to hijack user accounts via brute force attacks.

  • CVE-2020-22848CriAug 30, 2021
    risk 0.64cvss 9.8epss 0.03

    A remote code execution (RCE) vulnerability in the \Playsong.php component of cscms v4.1 allows attackers to execute arbitrary commands.

  • CVE-2018-17126CriSep 17, 2018
    risk 0.64cvss 9.8epss 0.03

    CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php.

  • CVE-2018-16731CriSep 8, 2018
    risk 0.64cvss 9.8epss 0.01

    CScms 4.1 allows arbitrary file upload by (for example) adding the php extension to the default filetype list (gif, jpg, png), and then providing a .php pathname within fileurl JSON data.

  • CVE-2022-29685HigMay 26, 2022
    risk 0.57cvss 8.8epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/User/level_sort.

  • CVE-2022-28552HigMay 4, 2022
    risk 0.57cvss 8.8epss 0.01

    Cscms 4.1 is vulnerable to SQL Injection. Log into the background, open the song module, create a new song, delete it to the recycle bin, and SQL injection security problems will occur when emptying the recycle bin.

  • CVE-2018-16732HigSep 8, 2018
    risk 0.57cvss 8.8epss 0.01

    \upload\plugins\sys\admin\Setting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save.

  • CVE-2018-16448HigSep 4, 2018
    risk 0.57cvss 8.8epss 0.00

    Cscms 4 allows CSRF for creating a member via upload/admin.php/user/save, authenticating vip members via upload/admin.php/user/init/tid and upload/admin.php/user/init/rzid, and creating a super administrator and web editor via upload/admin.php/sys/save.

  • CVE-2018-11527HigMay 29, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in CScms v4.1. A Cross-site request forgery (CSRF) vulnerability in plugins/sys/admin/Sys.php allows remote attackers to change the administrator's username and password via /admin.php/sys/editpass_save.

  • CVE-2019-6779HigJan 24, 2019
    risk 0.53cvss 8.1epss 0.00

    Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links.

  • CVE-2018-17125HigSep 17, 2018
    risk 0.49cvss 7.5epss 0.01

    CScms 4.1 allows arbitrary directory deletion via a dir=..\\ substring to plugins\sys\admin\Plugins.php.

  • CVE-2022-29688HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/hy.

  • CVE-2022-29687HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/level_del.

  • CVE-2022-29683HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Label/page_del.

  • CVE-2022-29682HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/vod/admin/topic/del.

  • CVE-2022-29681HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Links/del.

  • CVE-2022-29680HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/zu_del.

  • CVE-2022-29676HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/zhuan.

Page 1 of 2