Vendor
Slims
Products
5
CVEs
8
Across products
8
Status
Private
Products
5- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
Recent CVEs
8| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-12585 | Hig | 0.57 | 8.8 | 0.01 | Aug 6, 2017 | SLiMS 8 Akasia through 8.3.1 has SQL injection in admin/AJAX_lookup_handler.php (tableName and tableFields parameters), admin/AJAX_check_id.php, and admin/AJAX_vocabolary_control.php. It can be exploited by remote authenticated librarian users. | |
| CVE-2017-12584 | Hig | 0.57 | 8.8 | 0.00 | Aug 6, 2017 | There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete account takeover, via the passwd1 and passwd2 fields in an admin/modules/system/app_user.php changecurrent=true operation. | |
| CVE-2025-61488 | Hig | 0.49 | 7.6 | 0.00 | Oct 20, 2025 | An issue in Senayan Library Management System (SLiMS) 9 Bulian v.9.6.1 allows a remote attacker to execute arbitrary code via the scrap_image.php component and the imageURL parameter | |
| CVE-2017-12586 | Med | 0.42 | 6.5 | 0.00 | Aug 6, 2017 | SLiMS 8 Akasia through 8.3.1 has an arbitrary file reading issue because of directory traversal in the url parameter to admin/help.php. It can be exploited by remote authenticated librarian users. | |
| CVE-2017-7242 | Med | 0.40 | 6.1 | 0.00 | Mar 23, 2017 | Multiple Cross-Site Scripting (XSS) were discovered in admin/modules components in SLiMS 7 Cendana through 2017-03-23: the keywords parameter to bibliography/checkout_item.php, bibliography/dl_print.php, bibliography/item.php, bibliography/item_barcode_generator.php, bibliography/printed_card.php, circulation/loan_rules.php, master_file/author.php, master_file/coll_type.php, and master_file/doc_language.php and the quickReturnID field to circulation/ajax_action.php. | |
| CVE-2017-7202 | Med | 0.40 | 6.1 | 0.00 | Mar 21, 2017 | Multiple Cross-Site Scripting (XSS) were discovered in SLiMS 7 Cendana before 2017-03-16. The vulnerabilities exist due to insufficient filtration of user-supplied data (id) passed to the 'slims7_cendana-master/template/default/detail_template.php' and 'slims7_cendana-master/template/default-rtl/detail_template.php' URLs. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |
| CVE-2025-65233 | 0.00 | — | 0.00 | Dec 17, 2025 | Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path. | ||
| CVE-2013-4412 | 0.00 | — | 0.01 | Nov 4, 2019 | slim has NULL pointer dereference when using crypt() method from glibc 2.17 |