ICMS
Products
1- 13 CVEs
Recent CVEs
13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-39806 | Cri | 0.64 | 9.8 | 0.01 | Aug 10, 2023 | iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the bakupdata function. | ||
| CVE-2023-39805 | Cri | 0.64 | 9.8 | 0.01 | Aug 10, 2023 | iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php. | ||
| CVE-2022-41496 | Cri | 0.64 | 9.8 | 0.01 | Oct 13, 2022 | iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php. | ||
| CVE-2021-44978 | Cri | 0.64 | 9.8 | 0.02 | Feb 4, 2022 | iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution. | ||
| CVE-2020-19527 | Cri | 0.64 | 9.8 | 0.02 | Dec 10, 2020 | iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php. | ||
| CVE-2020-19142 | Cri | 0.64 | 9.8 | 0.02 | Dec 10, 2020 | iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php. | ||
| CVE-2018-18702 | Cri | 0.64 | 9.8 | 0.01 | Oct 29, 2018 | spider.admincp.php in iCMS v7.0.11 allows SQL injection via admincp.php?app=spider&do=import_rule because the upfile content is base64 decoded, deserialized, and used for database insertion. | ||
| CVE-2020-18070 | Cri | 0.59 | 9.1 | 0.02 | Apr 30, 2021 | Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php". | ||
| CVE-2020-21141 | Hig | 0.57 | 8.8 | 0.01 | Nov 12, 2021 | iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add. | ||
| CVE-2020-26641 | Hig | 0.57 | 8.8 | 0.01 | May 28, 2021 | A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts. | ||
| CVE-2021-44977 | Hig | 0.49 | 7.5 | 0.02 | Feb 4, 2022 | In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files. | ||
| CVE-2020-24739 | Med | 0.42 | 6.5 | 0.00 | Sep 10, 2020 | A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. | ||
| CVE-2019-14976 | Med | 0.40 | 6.1 | 0.01 | Aug 12, 2019 | iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter. |
- risk 0.64cvss 9.8epss 0.01
iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the bakupdata function.
- risk 0.64cvss 9.8epss 0.01
iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php.
- risk 0.64cvss 9.8epss 0.01
iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php.
- risk 0.64cvss 9.8epss 0.02
iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution.
- risk 0.64cvss 9.8epss 0.02
iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.
- risk 0.64cvss 9.8epss 0.02
iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.
- risk 0.64cvss 9.8epss 0.01
spider.admincp.php in iCMS v7.0.11 allows SQL injection via admincp.php?app=spider&do=import_rule because the upfile content is base64 decoded, deserialized, and used for database insertion.
- risk 0.59cvss 9.1epss 0.02
Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php".
- risk 0.57cvss 8.8epss 0.01
iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add.
- risk 0.57cvss 8.8epss 0.01
A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts.
- risk 0.49cvss 7.5epss 0.02
In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files.
- risk 0.42cvss 6.5epss 0.00
A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted.
- risk 0.40cvss 6.1epss 0.01
iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter.