VYPR
Vendor

Cscms

Products
2
CVEs
41
Across products
51
Status
Private

Products

2

Recent CVEs

41
View all 41 CVEs →
  • CVE-2022-29660CriMay 26, 2022
    risk 0.65cvss 9.8epss 0.11

    CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/pic/del.

  • CVE-2020-28103CriJan 11, 2022
    risk 0.64cvss 9.8epss 0.01

    cscms v4.1 allows for SQL injection via the "page_del" function.

  • CVE-2020-28102CriJan 11, 2022
    risk 0.64cvss 9.8epss 0.01

    cscms v4.1 allows for SQL injection via the "js_del" function.

  • CVE-2020-21238CriDec 27, 2021
    risk 0.64cvss 9.8epss 0.01

    An issue in the user login box of CSCMS v4.0 allows attackers to hijack user accounts via brute force attacks.

  • CVE-2020-22848CriAug 30, 2021
    risk 0.64cvss 9.8epss 0.03

    A remote code execution (RCE) vulnerability in the \Playsong.php component of cscms v4.1 allows attackers to execute arbitrary commands.

  • CVE-2018-17126CriSep 17, 2018
    risk 0.64cvss 9.8epss 0.03

    CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php.

  • CVE-2018-16731CriSep 8, 2018
    risk 0.64cvss 9.8epss 0.01

    CScms 4.1 allows arbitrary file upload by (for example) adding the php extension to the default filetype list (gif, jpg, png), and then providing a .php pathname within fileurl JSON data.

  • CVE-2022-29685HigMay 26, 2022
    risk 0.57cvss 8.8epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/User/level_sort.

  • CVE-2022-29667HigMay 26, 2022
    risk 0.57cvss 8.8epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via /admin.php/pic/admin/pic/hy. This vulnerability is exploited via restoring deleted photos.

  • CVE-2022-29664HigMay 26, 2022
    risk 0.57cvss 8.8epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/pl_save.

  • CVE-2022-28552HigMay 4, 2022
    risk 0.57cvss 8.8epss 0.01

    Cscms 4.1 is vulnerable to SQL Injection. Log into the background, open the song module, create a new song, delete it to the recycle bin, and SQL injection security problems will occur when emptying the recycle bin.

  • CVE-2018-16732HigSep 8, 2018
    risk 0.57cvss 8.8epss 0.01

    \upload\plugins\sys\admin\Setting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save.

  • CVE-2018-16448HigSep 4, 2018
    risk 0.57cvss 8.8epss 0.00

    Cscms 4 allows CSRF for creating a member via upload/admin.php/user/save, authenticating vip members via upload/admin.php/user/init/tid and upload/admin.php/user/init/rzid, and creating a super administrator and web editor via upload/admin.php/sys/save.

  • CVE-2018-11527HigMay 29, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in CScms v4.1. A Cross-site request forgery (CSRF) vulnerability in plugins/sys/admin/Sys.php allows remote attackers to change the administrator's username and password via /admin.php/sys/editpass_save.

  • CVE-2019-6779HigJan 24, 2019
    risk 0.53cvss 8.1epss 0.00

    Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links.

  • CVE-2018-17125HigSep 17, 2018
    risk 0.49cvss 7.5epss 0.01

    CScms 4.1 allows arbitrary directory deletion via a dir=..\\ substring to plugins\sys\admin\Plugins.php.

  • CVE-2022-29689HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/del.

  • CVE-2022-29688HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/hy.

  • CVE-2022-29687HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/level_del.

  • CVE-2022-29686HigMay 26, 2022
    risk 0.47cvss 7.2epss 0.01

    CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/lists/zhuan.