Vendor CVEs
S CMS
All CVEs
52 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-51052 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2023 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_formauth parameter at /admin/ajax.php. | ||
| CVE-2023-51051 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2023 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_textauth parameter at /admin/ajax.php. | ||
| CVE-2023-51050 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2023 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_productauth parameter at /admin/ajax.php. | ||
| CVE-2023-51049 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2023 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_bbsauth parameter at /admin/ajax.php. | ||
| CVE-2023-51048 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2023 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_newsauth parameter at /admin/ajax.php. | ||
| CVE-2022-23336 | Cri | 0.64 | 9.8 | 0.01 | Feb 14, 2022 | S-CMS v5.0 was discovered to contain a SQL injection vulnerability in member_pay.php via the O_id parameter. | ||
| CVE-2019-10708 | Cri | 0.64 | 9.8 | 0.03 | Apr 2, 2019 | S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter. | ||
| CVE-2019-6805 | Cri | 0.64 | 9.8 | 0.01 | Jan 25, 2019 | SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi.php O_id parameter. | ||
| CVE-2018-20480 | Cri | 0.64 | 9.8 | 0.01 | Dec 26, 2018 | An issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter. | ||
| CVE-2018-20479 | Cri | 0.64 | 9.8 | 0.01 | Dec 26, 2018 | An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter. | ||
| CVE-2018-20477 | Cri | 0.64 | 9.8 | 0.01 | Dec 26, 2018 | An issue was discovered in S-CMS 3.0. It allows SQL Injection via the bank/callback1.php P_no field. | ||
| CVE-2018-18427 | Cri | 0.64 | 9.8 | 0.01 | Oct 17, 2018 | s-cms 3.0 allows SQL Injection via the member/post.php 0_id parameter or the POST data to member/member_login.php. | ||
| CVE-2011-10009 | Hig | 0.60 | — | 0.02 | Aug 13, 2025 | S40 CMS v0.4.2 contains a path traversal vulnerability in its index.php page handler. The p parameter is not properly sanitized, allowing attackers to traverse the file system and access arbitrary files outside the web root. This can be exploited remotely without authentication… | ||
| CVE-2019-10237 | Hig | 0.57 | 8.8 | 0.01 | Mar 27, 2019 | S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via the 4.edu.php/admin/ajax.php?type=admin&action=add&lang=0 URI, a related issue to CVE-2019-9040. | ||
| CVE-2019-9040 | Hig | 0.57 | 8.8 | 0.01 | Feb 23, 2019 | S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin&action=add URI, a related issue to CVE-2018-19332. | ||
| CVE-2018-19332 | Hig | 0.57 | 8.8 | 0.00 | Nov 17, 2018 | An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability that can add a new user via the admin/ajax.php?type=member&action=add URI. | ||
| CVE-2018-18426 | Hig | 0.57 | 8.8 | 0.02 | Oct 17, 2018 | s-cms 3.0 allows remote attackers to execute arbitrary PHP code by placing this code in a crafted User-agent Disallow value in the robots.php txt parameter. | ||
| CVE-2020-19954 | Hig | 0.49 | 7.5 | 0.01 | Oct 14, 2021 | An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files. | ||
| CVE-2020-20340 | Hig | 0.49 | 7.5 | 0.01 | Sep 1, 2021 | A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information. | ||
| CVE-2018-20478 | Hig | 0.49 | 7.5 | 0.01 | Dec 26, 2018 | An issue was discovered in S-CMS 1.0. It allows reading certain files, such as PHP source code, via the admin/download.php DownName parameter with a mixed-case extension, as demonstrated by a DownName=download.Php value. | ||
| CVE-2018-20018 | Hig | 0.49 | 7.5 | 0.01 | Dec 10, 2018 | S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI. | ||
| CVE-2018-19331 | Hig | 0.49 | 7.5 | 0.01 | Nov 17, 2018 | An issue was discovered in S-CMS v1.5. There is a SQL injection vulnerability in search.php via the keyword parameter. | ||
| CVE-2017-2163 | Hig | 0.49 | 7.5 | 0.02 | May 12, 2017 | Directory traversal vulnerability in SOY CMS Ver.1.8.1 to Ver.1.8.12 allows authenticated attackers to read arbitrary files via shop_id. | ||
| CVE-2023-29963 | Hig | 0.47 | 7.2 | 0.02 | May 5, 2023 | S-CMS v5.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /admin/ajax.php. | ||
| CVE-2020-20698 | Hig | 0.47 | 7.2 | 0.02 | Jul 30, 2021 | A remote code execution (RCE) vulnerability in /1.com.php of S-CMS PHP v3.0 allows attackers to getshell via modification of a PHP file. | ||
| CVE-2019-11376 | Hig | 0.47 | 7.2 | 0.02 | Apr 20, 2019 | SOY CMS v3.0.2 allows remote attackers to execute arbitrary PHP code via a <?php substring in the second text box. NOTE: the vendor indicates that there was an assumption that the content is "made editable on its own. | ||
| CVE-2023-29962 | Med | 0.42 | 6.5 | 0.01 | Jan 4, 2024 | S-CMS v5.0 was discovered to contain an arbitrary file read vulnerability. | ||
| CVE-2020-20426 | Med | 0.40 | 6.1 | 0.01 | Dec 22, 2021 | S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in /function/booksave.php. | ||
| CVE-2020-20425 | Med | 0.40 | 6.1 | 0.01 | Dec 22, 2021 | S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in the search function. | ||
| CVE-2019-17368 | Med | 0.40 | 6.1 | 0.01 | Oct 9, 2019 | S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from parameter. | ||
| CVE-2019-16312 | Med | 0.40 | 6.1 | 0.01 | Sep 14, 2019 | s-cms V3.0 has XSS in index.php?type=text via the S_id parameter. | ||
| CVE-2019-9925 | Med | 0.40 | 6.1 | 0.01 | Mar 22, 2019 | S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter. | ||
| CVE-2018-20476 | Med | 0.40 | 6.1 | 0.01 | Dec 26, 2018 | An issue was discovered in S-CMS 3.0. It allows XSS via the admin/demo.php T_id parameter. | ||
| CVE-2018-19145 | Med | 0.40 | 6.1 | 0.01 | Nov 9, 2018 | An issue was discovered in S-CMS v1.5. There is an XSS vulnerability in search.php via the keyword parameter. | ||
| CVE-2017-2164 | Med | 0.40 | 6.1 | 0.01 | May 12, 2017 | Cross-site scripting vulnerability in SOY CMS with installer 1.8.12 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2023-7191 | Med | 0.36 | 5.5 | 0.00 | Dec 31, 2023 | A vulnerability, which was classified as critical, was found in S-CMS up to 2.0_build20220529-20231006. This affects an unknown part of the file member/reg.php. The manipulation of the argument M_login/M_email leads to sql injection. The exploit has been disclosed to the public… | ||
| CVE-2023-7190 | Med | 0.36 | 5.5 | 0.00 | Dec 31, 2023 | A vulnerability, which was classified as critical, has been found in S-CMS up to 2.0_build20220529-20231006. Affected by this issue is some unknown functionality of the file /member/ad.php?action=ad. The manipulation of the argument A_text/A_url/A_contact leads to sql injection.… | ||
| CVE-2023-7189 | Med | 0.36 | 5.5 | 0.00 | Dec 31, 2023 | A vulnerability classified as critical was found in S-CMS up to 2.0_build20220529-20231006. Affected by this vulnerability is an unknown functionality of the file /s/index.php?action=statistics. The manipulation of the argument lid leads to sql injection. The exploit has been… | ||
| CVE-2020-19158 | Med | 0.35 | 5.4 | 0.01 | Sep 15, 2021 | Cross Site Scripting (XSS) in S-CMS build 20191014 and earlier allows remote attackers to execute arbitrary code via the 'Site Title' parameter of the component '/data/admin/#/app/config/'. | ||
| CVE-2020-19046 | Med | 0.35 | 5.4 | 0.01 | Aug 31, 2021 | Cross Site Scripting (XSS) in S-CMS v1.0 allows remote attackers to execute arbitrary code via the component '/admin/tpl.php?page='. | ||
| CVE-2020-20701 | Med | 0.31 | 4.8 | 0.01 | Jul 30, 2021 | A stored cross site scripting (XSS) vulnerability in /app/config/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||
| CVE-2020-20700 | Med | 0.31 | 4.8 | 0.01 | Jul 30, 2021 | A stored cross site scripting (XSS) vulnerability in /app/form_add/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Title Entry text box. | ||
| CVE-2022-4377 | Low | 0.23 | 3.5 | 0.00 | Dec 9, 2022 | A vulnerability was found in S-CMS 5.0 Build 20220328. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Contact Information Page. The manipulation of the argument Make a Call leads to cross site scripting. The… | ||
| CVE-2010-4772 | 0.03 | — | 0.01 | Mar 23, 2011 | Cross-site scripting (XSS) vulnerability in blocks/lang.php in S-CMS 2.5 allows remote attackers to inject arbitrary web script or HTML via the id parameter to viewforum.php. | |||
| CVE-2010-4771 | 0.03 | — | 0.01 | Mar 23, 2011 | SQL injection vulnerability to viewforum.php in S-CMS 2.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2009-1502 | 0.03 | — | 0.02 | May 1, 2009 | Directory traversal vulnerability in plugin.php in S-Cms 1.1 Stable and 1.5.2 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the page parameter. | |||
| CVE-2009-0864 | 0.03 | — | 0.03 | Mar 10, 2009 | S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie. | |||
| CVE-2009-0863 | 0.03 | — | 0.01 | Mar 10, 2009 | SQL injection vulnerability in admin/delete_page.php in S-Cms 1.1 Stable allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2024-28187 | Hig | 0.00 | 7.2 | 0.02 | Mar 11, 2024 | SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability… | ||
| CVE-2020-15189 | Med | 0.00 | 6.8 | 0.03 | Sep 18, 2020 | SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This… |
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_formauth parameter at /admin/ajax.php.
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_textauth parameter at /admin/ajax.php.
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_productauth parameter at /admin/ajax.php.
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_bbsauth parameter at /admin/ajax.php.
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_newsauth parameter at /admin/ajax.php.
- risk 0.64cvss 9.8epss 0.01
S-CMS v5.0 was discovered to contain a SQL injection vulnerability in member_pay.php via the O_id parameter.
- risk 0.64cvss 9.8epss 0.03
S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter.
- risk 0.64cvss 9.8epss 0.01
SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi.php O_id parameter.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in S-CMS 3.0. It allows SQL Injection via the bank/callback1.php P_no field.
- risk 0.64cvss 9.8epss 0.01
s-cms 3.0 allows SQL Injection via the member/post.php 0_id parameter or the POST data to member/member_login.php.
- risk 0.60cvss —epss 0.02
S40 CMS v0.4.2 contains a path traversal vulnerability in its index.php page handler. The p parameter is not properly sanitized, allowing attackers to traverse the file system and access arbitrary files outside the web root. This can be exploited remotely without authentication…
- risk 0.57cvss 8.8epss 0.01
S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via the 4.edu.php/admin/ajax.php?type=admin&action=add&lang=0 URI, a related issue to CVE-2019-9040.
- risk 0.57cvss 8.8epss 0.01
S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin&action=add URI, a related issue to CVE-2018-19332.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability that can add a new user via the admin/ajax.php?type=member&action=add URI.
- risk 0.57cvss 8.8epss 0.02
s-cms 3.0 allows remote attackers to execute arbitrary PHP code by placing this code in a crafted User-agent Disallow value in the robots.php txt parameter.
- risk 0.49cvss 7.5epss 0.01
An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files.
- risk 0.49cvss 7.5epss 0.01
A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in S-CMS 1.0. It allows reading certain files, such as PHP source code, via the admin/download.php DownName parameter with a mixed-case extension, as demonstrated by a DownName=download.Php value.
- risk 0.49cvss 7.5epss 0.01
S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in S-CMS v1.5. There is a SQL injection vulnerability in search.php via the keyword parameter.
- risk 0.49cvss 7.5epss 0.02
Directory traversal vulnerability in SOY CMS Ver.1.8.1 to Ver.1.8.12 allows authenticated attackers to read arbitrary files via shop_id.
- risk 0.47cvss 7.2epss 0.02
S-CMS v5.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /admin/ajax.php.
- risk 0.47cvss 7.2epss 0.02
A remote code execution (RCE) vulnerability in /1.com.php of S-CMS PHP v3.0 allows attackers to getshell via modification of a PHP file.
- risk 0.47cvss 7.2epss 0.02
SOY CMS v3.0.2 allows remote attackers to execute arbitrary PHP code via a <?php substring in the second text box. NOTE: the vendor indicates that there was an assumption that the content is "made editable on its own.
- risk 0.42cvss 6.5epss 0.01
S-CMS v5.0 was discovered to contain an arbitrary file read vulnerability.
- risk 0.40cvss 6.1epss 0.01
S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in /function/booksave.php.
- risk 0.40cvss 6.1epss 0.01
S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in the search function.
- risk 0.40cvss 6.1epss 0.01
S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from parameter.
- risk 0.40cvss 6.1epss 0.01
s-cms V3.0 has XSS in index.php?type=text via the S_id parameter.
- risk 0.40cvss 6.1epss 0.01
S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in S-CMS 3.0. It allows XSS via the admin/demo.php T_id parameter.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in S-CMS v1.5. There is an XSS vulnerability in search.php via the keyword parameter.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting vulnerability in SOY CMS with installer 1.8.12 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.36cvss 5.5epss 0.00
A vulnerability, which was classified as critical, was found in S-CMS up to 2.0_build20220529-20231006. This affects an unknown part of the file member/reg.php. The manipulation of the argument M_login/M_email leads to sql injection. The exploit has been disclosed to the public…
- risk 0.36cvss 5.5epss 0.00
A vulnerability, which was classified as critical, has been found in S-CMS up to 2.0_build20220529-20231006. Affected by this issue is some unknown functionality of the file /member/ad.php?action=ad. The manipulation of the argument A_text/A_url/A_contact leads to sql injection.…
- risk 0.36cvss 5.5epss 0.00
A vulnerability classified as critical was found in S-CMS up to 2.0_build20220529-20231006. Affected by this vulnerability is an unknown functionality of the file /s/index.php?action=statistics. The manipulation of the argument lid leads to sql injection. The exploit has been…
- risk 0.35cvss 5.4epss 0.01
Cross Site Scripting (XSS) in S-CMS build 20191014 and earlier allows remote attackers to execute arbitrary code via the 'Site Title' parameter of the component '/data/admin/#/app/config/'.
- risk 0.35cvss 5.4epss 0.01
Cross Site Scripting (XSS) in S-CMS v1.0 allows remote attackers to execute arbitrary code via the component '/admin/tpl.php?page='.
- risk 0.31cvss 4.8epss 0.01
A stored cross site scripting (XSS) vulnerability in /app/config/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- risk 0.31cvss 4.8epss 0.01
A stored cross site scripting (XSS) vulnerability in /app/form_add/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Title Entry text box.
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in S-CMS 5.0 Build 20220328. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Contact Information Page. The manipulation of the argument Make a Call leads to cross site scripting. The…
- CVE-2010-4772Mar 23, 2011risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in blocks/lang.php in S-CMS 2.5 allows remote attackers to inject arbitrary web script or HTML via the id parameter to viewforum.php.
- CVE-2010-4771Mar 23, 2011risk 0.03cvss —epss 0.01
SQL injection vulnerability to viewforum.php in S-CMS 2.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2009-1502May 1, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in plugin.php in S-Cms 1.1 Stable and 1.5.2 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the page parameter.
- CVE-2009-0864Mar 10, 2009risk 0.03cvss —epss 0.03
S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie.
- CVE-2009-0863Mar 10, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin/delete_page.php in S-Cms 1.1 Stable allows remote attackers to execute arbitrary SQL commands via the id parameter.
- risk 0.00cvss 7.2epss 0.02
SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability…
- risk 0.00cvss 6.8epss 0.03
SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This…
Page 1 of 2