Icms Security Vulnerabilities and Issues — Icms CVE List

Lucene search

IcmsdevIcms

14 matches found

CVE•added 2018/04/10 6:29 a.m.•38 views

CVE-2018-9924

An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request.

9.8CVSS9.8AI score0.00264EPSS

CVE•added 2018/04/16 9:58 a.m.•34 views

CVE-2018-10117

An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP.

8.8CVSS8.6AI score0.00122EPSS

CVE•added 2018/04/10 6:29 a.m.•34 views

CVE-2018-9925

An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists via the nickname field in an admincp.php?app=user&do=save&frame=iPHP request.

5.4CVSS5.2AI score0.00206EPSS

CVE•added 2018/07/20 1:29 a.m.•33 views

CVE-2018-14415

An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2018/08/02 8:29 p.m.•32 views

CVE-2018-14858

An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 because the remote function in app/spider/spider_tools.class.php does not block private and reserved IP addresses such as 10.0.0.0/8. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14514.

7.5CVSS7.7AI score0.00482EPSS

CVE•added 2018/08/27 4:29 a.m.•32 views

CVE-2018-15895

An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because the remote function in app/spider/spider_tools.class.php does not block DNS hostnames associated with private and reserved IP addresses, as demonstrated by 127.0.0.1 in an A record. NOTE: this vulnerability exists because of an ...

7.5CVSS7.7AI score0.00371EPSS

CVE•added 2018/06/15 7:29 p.m.•31 views

CVE-2018-12498

spider.admincp.php in iCMS v7.0.8 has SQL Injection via the id parameter in an app=spider&do=batch request to admincp.php.

9.8CVSS9.8AI score0.00264EPSS

CVE•added 2018/04/19 8:29 a.m.•30 views

CVE-2018-10222

An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulnerability that can add a Column via /admincp.php?app=article_category&do=save&frame=iPHP.

8.8CVSS8.6AI score0.00145EPSS

CVE•added 2018/04/20 6:29 p.m.•30 views

CVE-2018-10250

iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a weixin_category action, aka a WeChat Classified Management keyword search.

5.4CVSS5.2AI score0.00206EPSS

CVE•added 2018/10/29 12:29 p.m.•30 views

CVE-2018-18702

spider.admincp.php in iCMS v7.0.11 allows SQL injection via admincp.php?app=spider&do=import_rule because the upfile content is base64 decoded, deserialized, and used for database insertion.

9.8CVSS9.8AI score0.00264EPSS

CVE•added 2018/04/10 6:29 a.m.•30 views

CVE-2018-9922

An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path leakage exists via an invalid nickname field that reveals a core/library/weixin.class.php pathname.

5.3CVSS5.3AI score0.00232EPSS

CVE•added 2018/07/23 8:29 a.m.•28 views

CVE-2018-14514

An SSRF vulnerability was discovered in idreamsoft iCMS V7.0.9 that allows attackers to read sensitive files, access an intranet, or possibly have unspecified other impact.

9.8CVSS8AI score0.00482EPSS

CVE•added 2018/04/10 6:29 a.m.•28 views

CVE-2018-9923

An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request.

8.8CVSS8.6AI score0.00145EPSS

CVE•added 2018/09/01 6:29 p.m.•23 views

CVE-2018-16314

An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header.

8.8CVSS8.6AI score0.00145EPSS