Vendor CVEs
OFCMS
All CVEs
23 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-34256 | Cri | 0.64 | 9.8 | 0.01 | May 14, 2024 | OFCMS V1.1.2 is vulnerable to SQL Injection via the new table function. | ||
| CVE-2023-24760 | Hig | 0.57 | 8.8 | 0.01 | Mar 16, 2023 | An issue found in Ofcms v.1.1.4 allows a remote attacker to to escalate privileges via the respwd method in SysUserController. | ||
| CVE-2019-9617 | Hig | 0.57 | 8.8 | 0.03 | Mar 6, 2019 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadFile URI. | ||
| CVE-2019-9614 | Hig | 0.57 | 8.8 | 0.03 | Mar 6, 2019 | An issue was discovered in OFCMS before 1.1.3. A command execution vulnerability exists via a template file with '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("' followed by the command. | ||
| CVE-2019-9612 | Hig | 0.57 | 8.8 | 0.03 | Mar 6, 2019 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/upload URI. | ||
| CVE-2019-9609 | Hig | 0.57 | 8.8 | 0.03 | Mar 6, 2019 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/editUploadImage URI. | ||
| CVE-2019-9608 | Hig | 0.57 | 8.8 | 0.03 | Mar 6, 2019 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadImage URI. | ||
| CVE-2019-9616 | Hig | 0.47 | 7.2 | 0.03 | Mar 6, 2019 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadScrawl URI. | ||
| CVE-2019-9615 | Hig | 0.47 | 7.2 | 0.01 | Mar 6, 2019 | An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java. | ||
| CVE-2019-9613 | Hig | 0.47 | 7.2 | 0.03 | Mar 6, 2019 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadVideo URI. | ||
| CVE-2024-48236 | Med | 0.42 | 6.5 | 0.01 | Oct 25, 2024 | An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the FileOutputStream function in the write String method of the ofcms-admin\src\main\java\com\ofsoft\cms\core\uitle\FileUtils.java file | ||
| CVE-2024-48235 | Med | 0.42 | 6.5 | 0.01 | Oct 25, 2024 | An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the save method of the TemplateController.java file. | ||
| CVE-2019-9611 | Med | 0.42 | 6.5 | 0.01 | Mar 6, 2019 | An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/template/getTemplates.html?res_path=res directory traversal, with ../ in the dir parameter, to write arbitrary content (in the file_content parameter) into an arbitrary file (specified by the file_name… | ||
| CVE-2026-10204 | Med | 0.41 | 6.3 | 0.00 | Jun 1, 2026 | A weakness has been identified in OFCMS 1.1.3. The affected element is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SysUserController.java of the component JSON Query Interface. This manipulation causes sql injection. The… | ||
| CVE-2026-10202 | Med | 0.41 | 6.3 | 0.00 | Jun 1, 2026 | A vulnerability was identified in OFCMS 1.1.3. This issue affects the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemDictController.java of the component JSON Query Interface. The manipulation leads to sql injection. The attack… | ||
| CVE-2026-10193 | Med | 0.41 | 6.3 | 0.00 | May 31, 2026 | A security flaw has been discovered in OFCMS up to 1.1.3. The impacted element is the function Query of the file ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\ComnController.java of the component ComnController. Performing a manipulation of the argument… | ||
| CVE-2022-29653 | Med | 0.40 | 6.1 | 0.01 | Jun 2, 2022 | OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json. | ||
| CVE-2023-51807 | Med | 0.35 | 5.4 | 0.00 | Jan 16, 2024 | Cross Site Scripting vulnerability in OFCMS v.1.14 allows a remote attacker to obtain sensitive information via a crafted payload to the title addition component. | ||
| CVE-2022-27961 | Med | 0.35 | 5.4 | 0.00 | Apr 10, 2022 | A cross-site scripting (XSS) vulnerability at /ofcms/company-c-47 in OFCMS v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment text box. | ||
| CVE-2022-27960 | Med | 0.35 | 5.4 | 0.00 | Apr 10, 2022 | Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' personal information. | ||
| CVE-2025-1557 | Med | 0.28 | 4.3 | 0.00 | Feb 22, 2025 | A vulnerability, which was classified as problematic, was found in OFCMS 1.1.3. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||
| CVE-2019-9610 | Med | 0.28 | 4.3 | 0.01 | Mar 6, 2019 | An issue was discovered in OFCMS before 1.1.3. It has admin/cms/template/getTemplates.html?res_path=res&up_dir=../ directory traversal, related to the getTemplates function in TemplateController.java. | ||
| CVE-2024-9411 | Low | 0.23 | 3.5 | 0.00 | Oct 1, 2024 | A vulnerability classified as problematic has been found in OFCMS 1.1.2. This affects the function add of the file /admin/system/dict/add.json?sqlid=system.dict.save. The manipulation of the argument dict_value leads to cross site scripting. It is possible to initiate the attack… |
- risk 0.64cvss 9.8epss 0.01
OFCMS V1.1.2 is vulnerable to SQL Injection via the new table function.
- risk 0.57cvss 8.8epss 0.01
An issue found in Ofcms v.1.1.4 allows a remote attacker to to escalate privileges via the respwd method in SysUserController.
- risk 0.57cvss 8.8epss 0.03
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadFile URI.
- risk 0.57cvss 8.8epss 0.03
An issue was discovered in OFCMS before 1.1.3. A command execution vulnerability exists via a template file with '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("' followed by the command.
- risk 0.57cvss 8.8epss 0.03
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/upload URI.
- risk 0.57cvss 8.8epss 0.03
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/editUploadImage URI.
- risk 0.57cvss 8.8epss 0.03
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadImage URI.
- risk 0.47cvss 7.2epss 0.03
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadScrawl URI.
- risk 0.47cvss 7.2epss 0.01
An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java.
- risk 0.47cvss 7.2epss 0.03
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadVideo URI.
- risk 0.42cvss 6.5epss 0.01
An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the FileOutputStream function in the write String method of the ofcms-admin\src\main\java\com\ofsoft\cms\core\uitle\FileUtils.java file
- risk 0.42cvss 6.5epss 0.01
An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the save method of the TemplateController.java file.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/template/getTemplates.html?res_path=res directory traversal, with ../ in the dir parameter, to write arbitrary content (in the file_content parameter) into an arbitrary file (specified by the file_name…
- risk 0.41cvss 6.3epss 0.00
A weakness has been identified in OFCMS 1.1.3. The affected element is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SysUserController.java of the component JSON Query Interface. This manipulation causes sql injection. The…
- risk 0.41cvss 6.3epss 0.00
A vulnerability was identified in OFCMS 1.1.3. This issue affects the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemDictController.java of the component JSON Query Interface. The manipulation leads to sql injection. The attack…
- risk 0.41cvss 6.3epss 0.00
A security flaw has been discovered in OFCMS up to 1.1.3. The impacted element is the function Query of the file ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\ComnController.java of the component ComnController. Performing a manipulation of the argument…
- risk 0.40cvss 6.1epss 0.01
OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json.
- risk 0.35cvss 5.4epss 0.00
Cross Site Scripting vulnerability in OFCMS v.1.14 allows a remote attacker to obtain sensitive information via a crafted payload to the title addition component.
- risk 0.35cvss 5.4epss 0.00
A cross-site scripting (XSS) vulnerability at /ofcms/company-c-47 in OFCMS v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment text box.
- risk 0.35cvss 5.4epss 0.00
Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' personal information.
- risk 0.28cvss 4.3epss 0.00
A vulnerability, which was classified as problematic, was found in OFCMS 1.1.3. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in OFCMS before 1.1.3. It has admin/cms/template/getTemplates.html?res_path=res&up_dir=../ directory traversal, related to the getTemplates function in TemplateController.java.
- risk 0.23cvss 3.5epss 0.00
A vulnerability classified as problematic has been found in OFCMS 1.1.2. This affects the function add of the file /admin/system/dict/add.json?sqlid=system.dict.save. The manipulation of the argument dict_value leads to cross site scripting. It is possible to initiate the attack…