Slims
Products
8- 17 CVEs
- 8 CVEs
- 7 CVEs
- 7 CVEs
- 5 CVEs
- 2 CVEs
- 2 CVEs
- 0 CVEs
Recent CVEs
36| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-25403 | Cri | 0.64 | 9.8 | 0.00 | Apr 29, 2025 | Slims (Senayan Library Management Systems) 9 Bulian V9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/coll_type.php. | ||
| CVE-2018-12659 | Hig | 0.57 | 8.8 | 0.01 | Jun 22, 2018 | SLiMS 8 Akasia 8.3.1 allows remote attackers to bypass the CSRF protection mechanism and obtain admin access by omitting the csrf_token parameter. | ||
| CVE-2017-12585 | Hig | 0.57 | 8.8 | 0.02 | Aug 6, 2017 | SLiMS 8 Akasia through 8.3.1 has SQL injection in admin/AJAX_lookup_handler.php (tableName and tableFields parameters), admin/AJAX_check_id.php, and admin/AJAX_vocabolary_control.php. It can be exploited by remote authenticated librarian users. | ||
| CVE-2017-12584 | Hig | 0.57 | 8.8 | 0.01 | Aug 6, 2017 | There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete… | ||
| CVE-2025-61488 | Hig | 0.49 | 7.6 | 0.00 | Oct 20, 2025 | An issue in Senayan Library Management System (SLiMS) 9 Bulian v.9.6.1 allows a remote attacker to execute arbitrary code via the scrap_image.php component and the imageURL parameter | ||
| CVE-2017-12586 | Med | 0.42 | 6.5 | 0.03 | Aug 6, 2017 | SLiMS 8 Akasia through 8.3.1 has an arbitrary file reading issue because of directory traversal in the url parameter to admin/help.php. It can be exploited by remote authenticated librarian users. | ||
| CVE-2018-12658 | Med | 0.40 | 6.1 | 0.01 | Jun 22, 2018 | Reflected Cross-Site Scripting (XSS) exists in the Stock Take module in SLiMS 8 Akasia 8.3.1 via an admin/modules/stock_take/index.php?keywords= URI. | ||
| CVE-2018-12657 | Med | 0.40 | 6.1 | 0.01 | Jun 22, 2018 | Reflected Cross-Site Scripting (XSS) exists in the Master File module in SLiMS 8 Akasia 8.3.1 via an admin/modules/master_file/rda_cmc.php?keywords= URI. | ||
| CVE-2018-12656 | Med | 0.40 | 6.1 | 0.01 | Jun 22, 2018 | Reflected Cross-Site Scripting (XSS) exists in the Membership module in SLiMS 8 Akasia 8.3.1 via an admin/modules/membership/index.php?keywords= URI. | ||
| CVE-2018-12655 | Med | 0.40 | 6.1 | 0.01 | Jun 22, 2018 | Reflected Cross-Site Scripting (XSS) exists in the Circulation module in SLiMS 8 Akasia 8.3.1 via an admin/modules/circulation/loan_rules.php?keywords= URI, a related issue to CVE-2017-7242. | ||
| CVE-2018-12654 | Med | 0.40 | 6.1 | 0.01 | Jun 22, 2018 | Reflected Cross-Site Scripting (XSS) exists in the Bibliography module in SLiMS 8 Akasia 8.3.1 via an admin/modules/bibliography/index.php?keywords= URI. | ||
| CVE-2017-7242 | Med | 0.40 | 6.1 | 0.01 | Mar 23, 2017 | Multiple Cross-Site Scripting (XSS) were discovered in admin/modules components in SLiMS 7 Cendana through 2017-03-23: the keywords parameter to bibliography/checkout_item.php, bibliography/dl_print.php, bibliography/item.php, bibliography/item_barcode_generator.php,… | ||
| CVE-2017-7202 | Med | 0.40 | 6.1 | 0.01 | Mar 21, 2017 | Multiple Cross-Site Scripting (XSS) were discovered in SLiMS 7 Cendana before 2017-03-16. The vulnerabilities exist due to insufficient filtration of user-supplied data (id) passed to the 'slims7_cendana-master/template/default/detail_template.php' and… | ||
| CVE-2025-65233 | 0.00 | — | 0.00 | Dec 17, 2025 | Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path. | |||
| CVE-2025-45820 | 0.00 | — | 0.00 | May 8, 2025 | Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/bibliography/pop_author_edit.php. | |||
| CVE-2025-45818 | 0.00 | — | 0.00 | May 8, 2025 | Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/item_status.php. | |||
| CVE-2025-45819 | 0.00 | — | 0.00 | May 8, 2025 | Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/author.php. | |||
| CVE-2025-26200 | 0.00 | — | 0.01 | Feb 24, 2025 | SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component. | |||
| CVE-2024-25288 | 0.00 | — | 0.01 | Feb 21, 2024 | SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is vulnerable to SQL Injection via pop-scope-vocabolary.php. | |||
| CVE-2023-48813 | 0.00 | — | 0.01 | Dec 1, 2023 | Senayan Library Management Systems (Slims) 9 Bulian v9.6.1 is vulnerable to SQL Injection via admin/modules/reporting/customs/fines_report.php. |
- risk 0.64cvss 9.8epss 0.00
Slims (Senayan Library Management Systems) 9 Bulian V9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/coll_type.php.
- risk 0.57cvss 8.8epss 0.01
SLiMS 8 Akasia 8.3.1 allows remote attackers to bypass the CSRF protection mechanism and obtain admin access by omitting the csrf_token parameter.
- risk 0.57cvss 8.8epss 0.02
SLiMS 8 Akasia through 8.3.1 has SQL injection in admin/AJAX_lookup_handler.php (tableName and tableFields parameters), admin/AJAX_check_id.php, and admin/AJAX_vocabolary_control.php. It can be exploited by remote authenticated librarian users.
- risk 0.57cvss 8.8epss 0.01
There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete…
- risk 0.49cvss 7.6epss 0.00
An issue in Senayan Library Management System (SLiMS) 9 Bulian v.9.6.1 allows a remote attacker to execute arbitrary code via the scrap_image.php component and the imageURL parameter
- risk 0.42cvss 6.5epss 0.03
SLiMS 8 Akasia through 8.3.1 has an arbitrary file reading issue because of directory traversal in the url parameter to admin/help.php. It can be exploited by remote authenticated librarian users.
- risk 0.40cvss 6.1epss 0.01
Reflected Cross-Site Scripting (XSS) exists in the Stock Take module in SLiMS 8 Akasia 8.3.1 via an admin/modules/stock_take/index.php?keywords= URI.
- risk 0.40cvss 6.1epss 0.01
Reflected Cross-Site Scripting (XSS) exists in the Master File module in SLiMS 8 Akasia 8.3.1 via an admin/modules/master_file/rda_cmc.php?keywords= URI.
- risk 0.40cvss 6.1epss 0.01
Reflected Cross-Site Scripting (XSS) exists in the Membership module in SLiMS 8 Akasia 8.3.1 via an admin/modules/membership/index.php?keywords= URI.
- risk 0.40cvss 6.1epss 0.01
Reflected Cross-Site Scripting (XSS) exists in the Circulation module in SLiMS 8 Akasia 8.3.1 via an admin/modules/circulation/loan_rules.php?keywords= URI, a related issue to CVE-2017-7242.
- risk 0.40cvss 6.1epss 0.01
Reflected Cross-Site Scripting (XSS) exists in the Bibliography module in SLiMS 8 Akasia 8.3.1 via an admin/modules/bibliography/index.php?keywords= URI.
- risk 0.40cvss 6.1epss 0.01
Multiple Cross-Site Scripting (XSS) were discovered in admin/modules components in SLiMS 7 Cendana through 2017-03-23: the keywords parameter to bibliography/checkout_item.php, bibliography/dl_print.php, bibliography/item.php, bibliography/item_barcode_generator.php,…
- risk 0.40cvss 6.1epss 0.01
Multiple Cross-Site Scripting (XSS) were discovered in SLiMS 7 Cendana before 2017-03-16. The vulnerabilities exist due to insufficient filtration of user-supplied data (id) passed to the 'slims7_cendana-master/template/default/detail_template.php' and…
- CVE-2025-65233Dec 17, 2025risk 0.00cvss —epss 0.00
Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path.
- CVE-2025-45820May 8, 2025risk 0.00cvss —epss 0.00
Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/bibliography/pop_author_edit.php.
- CVE-2025-45818May 8, 2025risk 0.00cvss —epss 0.00
Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/item_status.php.
- CVE-2025-45819May 8, 2025risk 0.00cvss —epss 0.00
Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/author.php.
- CVE-2025-26200Feb 24, 2025risk 0.00cvss —epss 0.01
SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component.
- CVE-2024-25288Feb 21, 2024risk 0.00cvss —epss 0.01
SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is vulnerable to SQL Injection via pop-scope-vocabolary.php.
- CVE-2023-48813Dec 1, 2023risk 0.00cvss —epss 0.01
Senayan Library Management Systems (Slims) 9 Bulian v9.6.1 is vulnerable to SQL Injection via admin/modules/reporting/customs/fines_report.php.