Vendor CVEs
Open Solution
All CVEs
49 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-12465 | Hig | 0.56 | — | 0.00 | Dec 2, 2025 | A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the… | ||
| CVE-2026-11860 | Hig | 0.49 | — | 0.00 | Jun 15, 2026 | Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation… | ||
| CVE-2021-47981 | Med | 0.35 | 5.4 | 0.00 | May 16, 2026 | Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form… | ||
| CVE-2025-10317 | Med | 0.33 | — | 0.00 | Oct 30, 2025 | Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker. This… | ||
| CVE-2026-33386 | Low | 0.15 | — | 0.00 | May 29, 2026 | QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the… | ||
| CVE-2020-35754 | 0.04 | — | 0.10 | Jan 28, 2021 | OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab. | |||
| CVE-2012-6430 | 0.03 | — | 0.04 | Mar 24, 2014 | Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php. NOTE: this might be a duplicate of… | |||
| CVE-2009-4120 | 0.03 | — | 0.01 | Dec 1, 2009 | Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete orders via an orders-delete action to admin.php, and possibly (2) delete products or (3) delete… | |||
| CVE-2009-1410 | 0.03 | — | 0.01 | Apr 24, 2009 | SQL injection vulnerability in index.php in Quick.Cms.Lite 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-4140 | 0.03 | — | 0.01 | Sep 24, 2008 | Cross-site scripting (XSS) vulnerability in admin.php in Quick.Cart 3.1 allows remote attackers to inject arbitrary web script or HTML via the query string. | |||
| CVE-2008-4139 | 0.03 | — | 0.02 | Sep 24, 2008 | Cross-site scripting (XSS) vulnerability in admin.php in OpenSolution Quick.Cms.Lite 2.1 allows remote attackers to inject arbitrary web script or HTML via the query string. | |||
| CVE-2007-3138 | 0.03 | — | 0.03 | Jun 8, 2007 | Directory traversal vulnerability in index.php in Open Solution Quick.Cart 2.2 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in an sLanguage cookie, which is used to define a value in config/general.php. | |||
| CVE-2007-3139 | 0.03 | — | 0.04 | Jun 8, 2007 | config/general.php in Quick.Cart 2.2 and earlier uses a default username and password, which allows remote attackers to access the application via a login action to admin.php. NOTE: this can be leveraged to upload and execute arbitrary code. | |||
| CVE-2006-6391 | 0.03 | — | 0.02 | Dec 8, 2006 | Multiple directory traversal vulnerabilities in Open Solution Quick.Cart 2.0, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to include arbitrary files via a .. (dot dot) in the config[db_type] parameter to (1) actions_admin/other.php… | |||
| CVE-2006-6390 | 0.03 | — | 0.02 | Dec 8, 2006 | Multiple directory traversal vulnerabilities in Open Solution Quick.Cart 2.0, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the config[db_type] parameter to (1)… | |||
| CVE-2006-5834 | 0.03 | — | 0.02 | Nov 10, 2006 | Directory traversal vulnerability in general.php in OpenSolution Quick.Cms.Lite 0.3 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the sLanguage Cookie parameter. | |||
| CVE-2005-1587 | 0.03 | — | 0.02 | May 14, 2005 | Cross-site scripting (XSS) vulnerability in index.php for Quick.cart 0.3.0 allows remote attackers to inject arbitrary web script or HTML via the sWord parameter. | |||
| CVE-2026-23796 | 0.00 | — | 0.00 | Feb 5, 2026 | Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was… | |||
| CVE-2026-23797 | 0.00 | — | 0.00 | Feb 5, 2026 | In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version… | |||
| CVE-2025-67684 | 0.00 | — | 0.01 | Jan 22, 2026 | Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute… | |||
| CVE-2025-67683 | 0.00 | — | 0.00 | Jan 22, 2026 | Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. The vendor was notified early about this vulnerability, but didn't respond with the… | |||
| CVE-2024-58308 | 0.00 | — | 0.01 | Dec 11, 2025 | Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ' or '1'='1 to gain unauthorized administrative access to the system. | |||
| CVE-2025-10018 | 0.00 | — | 0.00 | Nov 14, 2025 | QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript… | |||
| CVE-2025-9982 | 0.00 | — | 0.00 | Nov 14, 2025 | A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially… | |||
| CVE-2025-9981 | 0.00 | — | 0.00 | Oct 23, 2025 | QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript… | |||
| CVE-2025-9980 | 0.00 | — | 0.00 | Oct 23, 2025 | QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add… | |||
| CVE-2025-55175 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this… | |||
| CVE-2025-54544 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is… | |||
| CVE-2025-54543 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not… | |||
| CVE-2025-54542 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user. The vendor was notified early about this vulnerability, but didn't respond with the details of… | |||
| CVE-2025-54541 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article. The vendor was notified early about this… | |||
| CVE-2025-54540 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this… | |||
| CVE-2025-54175 | 0.00 | — | 0.00 | Aug 20, 2025 | QuickCMS.EXT is vulnerable to Reflected XSS in sFileName parameter in thumbnail viewer functionality. An attacker can craft a malicious URL that results in arbitrary JavaScript execution in the victim's browser when opened. The vendor was notified early about this… | |||
| CVE-2025-54174 | 0.00 | — | 0.00 | Aug 20, 2025 | QuickCMS is vulnerable to Cross-Site Request Forgery in article creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious article with content defined by the attacker. The… | |||
| CVE-2025-54172 | 0.00 | — | 0.00 | Aug 20, 2025 | QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. Regular admin user is not able to inject any… | |||
| CVE-2023-43346 | 0.00 | — | 0.00 | Oct 20, 2023 | Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Backend - Dashboard parameter in the Languages Menu component. | |||
| CVE-2023-43345 | 0.00 | — | 0.00 | Oct 19, 2023 | Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Content - Name parameter in the Pages Menu component. | |||
| CVE-2023-43342 | 0.00 | — | 0.00 | Oct 19, 2023 | Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Languages Menu component. | |||
| CVE-2023-43344 | 0.00 | — | 0.01 | Oct 19, 2023 | Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the SEO - Meta description parameter in the Pages Menu component. | |||
| CVE-2023-43343 | 0.00 | — | 0.01 | Oct 5, 2023 | Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Files - Description parameter in the Pages Menu component. | |||
| CVE-2012-6049 | 0.00 | — | 0.01 | Nov 27, 2012 | Open Solution Quick.Cart 5.0 allows remote attackers to obtain sensitive information via (1) a long string or (2) invalid characters in a cookie, which reveals the installation path in an error message. | |||
| CVE-2012-3833 | 0.00 | — | 0.01 | Jul 3, 2012 | Cross-site scripting (XSS) vulnerability in the default index page in admin/ in Quick.CMS 4.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. | |||
| CVE-2009-4121 | 0.00 | — | 0.01 | Dec 1, 2009 | Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.CMS 2.4 and Quick.CMS.Lite 2.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete web pages via a p-delete action to admin.php, and possibly (2) delete products… | |||
| CVE-2007-1407 | 0.00 | — | 0.01 | Mar 10, 2007 | Unspecified vulnerability in OpenSolution Quick.Cart before 2.1 has unknown impact and attack vectors, related to a "low critical exploit." | |||
| CVE-2007-0258 | 0.00 | — | 0.02 | Jan 16, 2007 | Cross-site scripting (XSS) vulnerability in index.php in (1) Fastilo 2.0 and (2) Open Solution Quick.Cart 2.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2005-1584 | 0.00 | — | 0.01 | May 14, 2005 | Cross-site scripting (XSS) vulnerability in index.php for Quick.Forum 2.1.6 allows remote attackers to inject arbitrary web script or HTML via the topic field in a NewTopic action. | |||
| CVE-2005-1586 | 0.00 | — | 0.01 | May 14, 2005 | Quick.Forum 2.1.6 stores potentially sensitive information such as usernames, banned IP addresses, censored words, and backups under the web document root, which allows remote attackers to obtain that information via a direct request to (1) db/users.txt, (2) db/banList.txt, (3)… | |||
| CVE-2005-1588 | 0.00 | — | 0.01 | May 11, 2005 | SQL injection vulnerability in index.php for Quick.cart 0.3.0 allows remote attackers to execute arbitrary SQL commands via the iCategory parameter. NOTE: the vendor has privately disputed this issue, saying that Quick.cart does not even use SQL and therefore can not be… | |||
| CVE-2005-1585 | 0.00 | — | 0.01 | May 11, 2005 | Multiple SQL injection vulnerabilities in Quick.Forum 2.1.6 allow remote attackers to execute arbitrary SQL commands via the (1) iCategory or (2) page parameter to index.php, or (3) iCategory parameter in the query string to the forum directory. |
- risk 0.56cvss —epss 0.00
A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the…
- risk 0.49cvss —epss 0.00
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation…
- risk 0.35cvss 5.4epss 0.00
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form…
- risk 0.33cvss —epss 0.00
Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker. This…
- risk 0.15cvss —epss 0.00
QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the…
- CVE-2020-35754Jan 28, 2021risk 0.04cvss —epss 0.10
OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab.
- CVE-2012-6430Mar 24, 2014risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php. NOTE: this might be a duplicate of…
- CVE-2009-4120Dec 1, 2009risk 0.03cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete orders via an orders-delete action to admin.php, and possibly (2) delete products or (3) delete…
- CVE-2009-1410Apr 24, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Quick.Cms.Lite 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-4140Sep 24, 2008risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in admin.php in Quick.Cart 3.1 allows remote attackers to inject arbitrary web script or HTML via the query string.
- CVE-2008-4139Sep 24, 2008risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin.php in OpenSolution Quick.Cms.Lite 2.1 allows remote attackers to inject arbitrary web script or HTML via the query string.
- CVE-2007-3138Jun 8, 2007risk 0.03cvss —epss 0.03
Directory traversal vulnerability in index.php in Open Solution Quick.Cart 2.2 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in an sLanguage cookie, which is used to define a value in config/general.php.
- CVE-2007-3139Jun 8, 2007risk 0.03cvss —epss 0.04
config/general.php in Quick.Cart 2.2 and earlier uses a default username and password, which allows remote attackers to access the application via a login action to admin.php. NOTE: this can be leveraged to upload and execute arbitrary code.
- CVE-2006-6391Dec 8, 2006risk 0.03cvss —epss 0.02
Multiple directory traversal vulnerabilities in Open Solution Quick.Cart 2.0, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to include arbitrary files via a .. (dot dot) in the config[db_type] parameter to (1) actions_admin/other.php…
- CVE-2006-6390Dec 8, 2006risk 0.03cvss —epss 0.02
Multiple directory traversal vulnerabilities in Open Solution Quick.Cart 2.0, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the config[db_type] parameter to (1)…
- CVE-2006-5834Nov 10, 2006risk 0.03cvss —epss 0.02
Directory traversal vulnerability in general.php in OpenSolution Quick.Cms.Lite 0.3 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the sLanguage Cookie parameter.
- CVE-2005-1587May 14, 2005risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php for Quick.cart 0.3.0 allows remote attackers to inject arbitrary web script or HTML via the sWord parameter.
- CVE-2026-23796Feb 5, 2026risk 0.00cvss —epss 0.00
Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was…
- CVE-2026-23797Feb 5, 2026risk 0.00cvss —epss 0.00
In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version…
- CVE-2025-67684Jan 22, 2026risk 0.00cvss —epss 0.01
Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute…
- CVE-2025-67683Jan 22, 2026risk 0.00cvss —epss 0.00
Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. The vendor was notified early about this vulnerability, but didn't respond with the…
- CVE-2024-58308Dec 11, 2025risk 0.00cvss —epss 0.01
Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ' or '1'='1 to gain unauthorized administrative access to the system.
- CVE-2025-10018Nov 14, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript…
- CVE-2025-9982Nov 14, 2025risk 0.00cvss —epss 0.00
A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially…
- CVE-2025-9981Oct 23, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript…
- CVE-2025-9980Oct 23, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add…
- CVE-2025-55175Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this…
- CVE-2025-54544Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is…
- CVE-2025-54543Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not…
- CVE-2025-54542Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user. The vendor was notified early about this vulnerability, but didn't respond with the details of…
- CVE-2025-54541Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article. The vendor was notified early about this…
- CVE-2025-54540Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this…
- CVE-2025-54175Aug 20, 2025risk 0.00cvss —epss 0.00
QuickCMS.EXT is vulnerable to Reflected XSS in sFileName parameter in thumbnail viewer functionality. An attacker can craft a malicious URL that results in arbitrary JavaScript execution in the victim's browser when opened. The vendor was notified early about this…
- CVE-2025-54174Aug 20, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Cross-Site Request Forgery in article creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious article with content defined by the attacker. The…
- CVE-2025-54172Aug 20, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. Regular admin user is not able to inject any…
- CVE-2023-43346Oct 20, 2023risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Backend - Dashboard parameter in the Languages Menu component.
- CVE-2023-43345Oct 19, 2023risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Content - Name parameter in the Pages Menu component.
- CVE-2023-43342Oct 19, 2023risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Languages Menu component.
- CVE-2023-43344Oct 19, 2023risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the SEO - Meta description parameter in the Pages Menu component.
- CVE-2023-43343Oct 5, 2023risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Files - Description parameter in the Pages Menu component.
- CVE-2012-6049Nov 27, 2012risk 0.00cvss —epss 0.01
Open Solution Quick.Cart 5.0 allows remote attackers to obtain sensitive information via (1) a long string or (2) invalid characters in a cookie, which reveals the installation path in an error message.
- CVE-2012-3833Jul 3, 2012risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the default index page in admin/ in Quick.CMS 4.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter.
- CVE-2009-4121Dec 1, 2009risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.CMS 2.4 and Quick.CMS.Lite 2.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete web pages via a p-delete action to admin.php, and possibly (2) delete products…
- CVE-2007-1407Mar 10, 2007risk 0.00cvss —epss 0.01
Unspecified vulnerability in OpenSolution Quick.Cart before 2.1 has unknown impact and attack vectors, related to a "low critical exploit."
- CVE-2007-0258Jan 16, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in (1) Fastilo 2.0 and (2) Open Solution Quick.Cart 2.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: some of these details are obtained from third party information.
- CVE-2005-1584May 14, 2005risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php for Quick.Forum 2.1.6 allows remote attackers to inject arbitrary web script or HTML via the topic field in a NewTopic action.
- CVE-2005-1586May 14, 2005risk 0.00cvss —epss 0.01
Quick.Forum 2.1.6 stores potentially sensitive information such as usernames, banned IP addresses, censored words, and backups under the web document root, which allows remote attackers to obtain that information via a direct request to (1) db/users.txt, (2) db/banList.txt, (3)…
- CVE-2005-1588May 11, 2005risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php for Quick.cart 0.3.0 allows remote attackers to execute arbitrary SQL commands via the iCategory parameter. NOTE: the vendor has privately disputed this issue, saying that Quick.cart does not even use SQL and therefore can not be…
- CVE-2005-1585May 11, 2005risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Quick.Forum 2.1.6 allow remote attackers to execute arbitrary SQL commands via the (1) iCategory or (2) page parameter to index.php, or (3) iCategory parameter in the query string to the forum directory.