Vendor CVEs
Slims
All CVEs
36 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-25403 | Cri | 0.64 | 9.8 | 0.00 | Apr 29, 2025 | Slims (Senayan Library Management Systems) 9 Bulian V9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/coll_type.php. | ||
| CVE-2018-12659 | Hig | 0.57 | 8.8 | 0.01 | Jun 22, 2018 | SLiMS 8 Akasia 8.3.1 allows remote attackers to bypass the CSRF protection mechanism and obtain admin access by omitting the csrf_token parameter. | ||
| CVE-2017-12585 | Hig | 0.57 | 8.8 | 0.02 | Aug 6, 2017 | SLiMS 8 Akasia through 8.3.1 has SQL injection in admin/AJAX_lookup_handler.php (tableName and tableFields parameters), admin/AJAX_check_id.php, and admin/AJAX_vocabolary_control.php. It can be exploited by remote authenticated librarian users. | ||
| CVE-2017-12584 | Hig | 0.57 | 8.8 | 0.01 | Aug 6, 2017 | There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete… | ||
| CVE-2025-61488 | Hig | 0.49 | 7.6 | 0.00 | Oct 20, 2025 | An issue in Senayan Library Management System (SLiMS) 9 Bulian v.9.6.1 allows a remote attacker to execute arbitrary code via the scrap_image.php component and the imageURL parameter | ||
| CVE-2017-12586 | Med | 0.42 | 6.5 | 0.03 | Aug 6, 2017 | SLiMS 8 Akasia through 8.3.1 has an arbitrary file reading issue because of directory traversal in the url parameter to admin/help.php. It can be exploited by remote authenticated librarian users. | ||
| CVE-2018-12658 | Med | 0.40 | 6.1 | 0.01 | Jun 22, 2018 | Reflected Cross-Site Scripting (XSS) exists in the Stock Take module in SLiMS 8 Akasia 8.3.1 via an admin/modules/stock_take/index.php?keywords= URI. | ||
| CVE-2018-12657 | Med | 0.40 | 6.1 | 0.01 | Jun 22, 2018 | Reflected Cross-Site Scripting (XSS) exists in the Master File module in SLiMS 8 Akasia 8.3.1 via an admin/modules/master_file/rda_cmc.php?keywords= URI. | ||
| CVE-2018-12656 | Med | 0.40 | 6.1 | 0.01 | Jun 22, 2018 | Reflected Cross-Site Scripting (XSS) exists in the Membership module in SLiMS 8 Akasia 8.3.1 via an admin/modules/membership/index.php?keywords= URI. | ||
| CVE-2018-12655 | Med | 0.40 | 6.1 | 0.01 | Jun 22, 2018 | Reflected Cross-Site Scripting (XSS) exists in the Circulation module in SLiMS 8 Akasia 8.3.1 via an admin/modules/circulation/loan_rules.php?keywords= URI, a related issue to CVE-2017-7242. | ||
| CVE-2018-12654 | Med | 0.40 | 6.1 | 0.01 | Jun 22, 2018 | Reflected Cross-Site Scripting (XSS) exists in the Bibliography module in SLiMS 8 Akasia 8.3.1 via an admin/modules/bibliography/index.php?keywords= URI. | ||
| CVE-2017-7242 | Med | 0.40 | 6.1 | 0.01 | Mar 23, 2017 | Multiple Cross-Site Scripting (XSS) were discovered in admin/modules components in SLiMS 7 Cendana through 2017-03-23: the keywords parameter to bibliography/checkout_item.php, bibliography/dl_print.php, bibliography/item.php, bibliography/item_barcode_generator.php,… | ||
| CVE-2017-7202 | Med | 0.40 | 6.1 | 0.01 | Mar 21, 2017 | Multiple Cross-Site Scripting (XSS) were discovered in SLiMS 7 Cendana before 2017-03-16. The vulnerabilities exist due to insufficient filtration of user-supplied data (id) passed to the 'slims7_cendana-master/template/default/detail_template.php' and… | ||
| CVE-2025-65233 | 0.00 | — | 0.00 | Dec 17, 2025 | Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path. | |||
| CVE-2025-45820 | 0.00 | — | 0.00 | May 8, 2025 | Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/bibliography/pop_author_edit.php. | |||
| CVE-2025-45818 | 0.00 | — | 0.00 | May 8, 2025 | Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/item_status.php. | |||
| CVE-2025-45819 | 0.00 | — | 0.00 | May 8, 2025 | Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/author.php. | |||
| CVE-2025-26200 | 0.00 | — | 0.01 | Feb 24, 2025 | SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component. | |||
| CVE-2024-25288 | 0.00 | — | 0.01 | Feb 21, 2024 | SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is vulnerable to SQL Injection via pop-scope-vocabolary.php. | |||
| CVE-2023-48813 | 0.00 | — | 0.01 | Dec 1, 2023 | Senayan Library Management Systems (Slims) 9 Bulian v9.6.1 is vulnerable to SQL Injection via admin/modules/reporting/customs/fines_report.php. | |||
| CVE-2023-48893 | 0.00 | — | 0.01 | Dec 1, 2023 | SLiMS (aka SENAYAN Library Management System) through 9.6.1 allows admin/modules/reporting/customs/staff_act.php SQL Injection via startDate or untilDate. | |||
| CVE-2023-45996 | 0.00 | — | 0.01 | Oct 31, 2023 | SQL injection vulnerability in Senayan Library Management Systems Slims v.9 and Bulian v.9.6.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the reborrowLimit parameter in the member_type.php. | |||
| CVE-2023-3744 | 0.00 | — | 0.00 | Oct 2, 2023 | Server-Side Request Forgery vulnerability in SLims version 9.6.0. This vulnerability could allow an authenticated attacker to send requests to internal services or upload the contents of relevant files via the "scrape_image.php" file in the imageURL parameter. | |||
| CVE-2023-40970 | 0.00 | — | 0.01 | Sep 1, 2023 | Senayan Library Management Systems SLIMS 9 Bulian v 9.6.1 is vulnerable to SQL Injection via admin/modules/circulation/loan_rules.php. | |||
| CVE-2023-40969 | 0.00 | — | 0.00 | Sep 1, 2023 | Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to Server Side Request Forgery (SSRF) via admin/modules/bibliography/pop_p2p.php. | |||
| CVE-2023-29850 | 0.00 | — | 0.01 | Apr 14, 2023 | SENAYAN Library Management System (SLiMS) Bulian v9.5.2 does not strip exif data from uploaded images. This allows attackers to obtain information such as the user's geolocation and device information. | |||
| CVE-2023-24086 | 0.00 | — | 0.00 | Feb 13, 2023 | SLIMS v9.5.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /customs/loan_by_class.php?reportView. | |||
| CVE-2022-45019 | 0.00 | — | 0.01 | Dec 5, 2022 | SLiMS 9 Bulian v9.5.0 was discovered to contain a SQL injection vulnerability via the keywords parameter. | |||
| CVE-2022-43361 | 0.00 | — | 0.00 | Nov 1, 2022 | Senayan Library Management System v9.4.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the component pop_chart.php. | |||
| CVE-2022-38292 | 0.00 | — | 0.01 | Sep 12, 2022 | SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php. | |||
| CVE-2022-38291 | 0.00 | — | 0.00 | Sep 12, 2022 | SLiMS Senayan Library Management System v9.4.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Search function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search bar. | |||
| CVE-2021-45794 | 0.00 | — | 0.01 | Mar 17, 2022 | Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained. | |||
| CVE-2021-45791 | 0.00 | — | 0.01 | Mar 17, 2022 | Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/member_type.php, /admin/modules/system/user_group.php, and /admin/modules/membership/index.php through the dir parameter. It can be used by remotely authenticated… | |||
| CVE-2013-4412 | 0.00 | — | 0.03 | Nov 4, 2019 | slim has NULL pointer dereference when using crypt() method from glibc 2.17 | |||
| CVE-2010-2945 | 0.00 | — | 0.00 | Aug 30, 2010 | The default configuration of SLiM before 1.3.2 places ./ (dot slash) at the beginning of the default_path option, which might allow local users to gain privileges via a Trojan horse program in the current working directory, related to slim.conf and cfg.cpp. | |||
| CVE-2009-1756 | 0.00 | — | 0.00 | May 22, 2009 | SLiM Simple Login Manager 1.3.0 places the X authority magic cookie (mcookie) on the command line when invoking xauth from (1) app.cpp and (2) switchuser.cpp, which allows local users to access the X session by listing the process and its arguments. |
- risk 0.64cvss 9.8epss 0.00
Slims (Senayan Library Management Systems) 9 Bulian V9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/coll_type.php.
- risk 0.57cvss 8.8epss 0.01
SLiMS 8 Akasia 8.3.1 allows remote attackers to bypass the CSRF protection mechanism and obtain admin access by omitting the csrf_token parameter.
- risk 0.57cvss 8.8epss 0.02
SLiMS 8 Akasia through 8.3.1 has SQL injection in admin/AJAX_lookup_handler.php (tableName and tableFields parameters), admin/AJAX_check_id.php, and admin/AJAX_vocabolary_control.php. It can be exploited by remote authenticated librarian users.
- risk 0.57cvss 8.8epss 0.01
There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete…
- risk 0.49cvss 7.6epss 0.00
An issue in Senayan Library Management System (SLiMS) 9 Bulian v.9.6.1 allows a remote attacker to execute arbitrary code via the scrap_image.php component and the imageURL parameter
- risk 0.42cvss 6.5epss 0.03
SLiMS 8 Akasia through 8.3.1 has an arbitrary file reading issue because of directory traversal in the url parameter to admin/help.php. It can be exploited by remote authenticated librarian users.
- risk 0.40cvss 6.1epss 0.01
Reflected Cross-Site Scripting (XSS) exists in the Stock Take module in SLiMS 8 Akasia 8.3.1 via an admin/modules/stock_take/index.php?keywords= URI.
- risk 0.40cvss 6.1epss 0.01
Reflected Cross-Site Scripting (XSS) exists in the Master File module in SLiMS 8 Akasia 8.3.1 via an admin/modules/master_file/rda_cmc.php?keywords= URI.
- risk 0.40cvss 6.1epss 0.01
Reflected Cross-Site Scripting (XSS) exists in the Membership module in SLiMS 8 Akasia 8.3.1 via an admin/modules/membership/index.php?keywords= URI.
- risk 0.40cvss 6.1epss 0.01
Reflected Cross-Site Scripting (XSS) exists in the Circulation module in SLiMS 8 Akasia 8.3.1 via an admin/modules/circulation/loan_rules.php?keywords= URI, a related issue to CVE-2017-7242.
- risk 0.40cvss 6.1epss 0.01
Reflected Cross-Site Scripting (XSS) exists in the Bibliography module in SLiMS 8 Akasia 8.3.1 via an admin/modules/bibliography/index.php?keywords= URI.
- risk 0.40cvss 6.1epss 0.01
Multiple Cross-Site Scripting (XSS) were discovered in admin/modules components in SLiMS 7 Cendana through 2017-03-23: the keywords parameter to bibliography/checkout_item.php, bibliography/dl_print.php, bibliography/item.php, bibliography/item_barcode_generator.php,…
- risk 0.40cvss 6.1epss 0.01
Multiple Cross-Site Scripting (XSS) were discovered in SLiMS 7 Cendana before 2017-03-16. The vulnerabilities exist due to insufficient filtration of user-supplied data (id) passed to the 'slims7_cendana-master/template/default/detail_template.php' and…
- CVE-2025-65233Dec 17, 2025risk 0.00cvss —epss 0.00
Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path.
- CVE-2025-45820May 8, 2025risk 0.00cvss —epss 0.00
Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/bibliography/pop_author_edit.php.
- CVE-2025-45818May 8, 2025risk 0.00cvss —epss 0.00
Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/item_status.php.
- CVE-2025-45819May 8, 2025risk 0.00cvss —epss 0.00
Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/author.php.
- CVE-2025-26200Feb 24, 2025risk 0.00cvss —epss 0.01
SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component.
- CVE-2024-25288Feb 21, 2024risk 0.00cvss —epss 0.01
SLIMS (Senayan Library Management Systems) 9 Bulian v9.6.1 is vulnerable to SQL Injection via pop-scope-vocabolary.php.
- CVE-2023-48813Dec 1, 2023risk 0.00cvss —epss 0.01
Senayan Library Management Systems (Slims) 9 Bulian v9.6.1 is vulnerable to SQL Injection via admin/modules/reporting/customs/fines_report.php.
- CVE-2023-48893Dec 1, 2023risk 0.00cvss —epss 0.01
SLiMS (aka SENAYAN Library Management System) through 9.6.1 allows admin/modules/reporting/customs/staff_act.php SQL Injection via startDate or untilDate.
- CVE-2023-45996Oct 31, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in Senayan Library Management Systems Slims v.9 and Bulian v.9.6.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the reborrowLimit parameter in the member_type.php.
- CVE-2023-3744Oct 2, 2023risk 0.00cvss —epss 0.00
Server-Side Request Forgery vulnerability in SLims version 9.6.0. This vulnerability could allow an authenticated attacker to send requests to internal services or upload the contents of relevant files via the "scrape_image.php" file in the imageURL parameter.
- CVE-2023-40970Sep 1, 2023risk 0.00cvss —epss 0.01
Senayan Library Management Systems SLIMS 9 Bulian v 9.6.1 is vulnerable to SQL Injection via admin/modules/circulation/loan_rules.php.
- CVE-2023-40969Sep 1, 2023risk 0.00cvss —epss 0.00
Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to Server Side Request Forgery (SSRF) via admin/modules/bibliography/pop_p2p.php.
- CVE-2023-29850Apr 14, 2023risk 0.00cvss —epss 0.01
SENAYAN Library Management System (SLiMS) Bulian v9.5.2 does not strip exif data from uploaded images. This allows attackers to obtain information such as the user's geolocation and device information.
- CVE-2023-24086Feb 13, 2023risk 0.00cvss —epss 0.00
SLIMS v9.5.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /customs/loan_by_class.php?reportView.
- CVE-2022-45019Dec 5, 2022risk 0.00cvss —epss 0.01
SLiMS 9 Bulian v9.5.0 was discovered to contain a SQL injection vulnerability via the keywords parameter.
- CVE-2022-43361Nov 1, 2022risk 0.00cvss —epss 0.00
Senayan Library Management System v9.4.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the component pop_chart.php.
- CVE-2022-38292Sep 12, 2022risk 0.00cvss —epss 0.01
SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.
- CVE-2022-38291Sep 12, 2022risk 0.00cvss —epss 0.00
SLiMS Senayan Library Management System v9.4.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Search function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search bar.
- CVE-2021-45794Mar 17, 2022risk 0.00cvss —epss 0.01
Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained.
- CVE-2021-45791Mar 17, 2022risk 0.00cvss —epss 0.01
Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/member_type.php, /admin/modules/system/user_group.php, and /admin/modules/membership/index.php through the dir parameter. It can be used by remotely authenticated…
- CVE-2013-4412Nov 4, 2019risk 0.00cvss —epss 0.03
slim has NULL pointer dereference when using crypt() method from glibc 2.17
- CVE-2010-2945Aug 30, 2010risk 0.00cvss —epss 0.00
The default configuration of SLiM before 1.3.2 places ./ (dot slash) at the beginning of the default_path option, which might allow local users to gain privileges via a Trojan horse program in the current working directory, related to slim.conf and cfg.cpp.
- CVE-2009-1756May 22, 2009risk 0.00cvss —epss 0.00
SLiM Simple Login Manager 1.3.0 places the X authority magic cookie (mcookie) on the command line when invoking xauth from (1) app.cpp and (2) switchuser.cpp, which allows local users to access the X session by listing the process and its arguments.