30 matches found
CVE-2019-16677
CVE-2019-16677 affects idreamsoft iCMS 7.0; the vulnerability is a CSRF flaw in admincp.php?app=members&do=del. The connected records corroborate a CSRF issue but do not provide exploit details, affected versions beyond iCMS V7.0, or remediation steps. MITRE/ATT&CK mappings are not specified in t...
CVE-2020-26641
CVE-2020-26641: CSRF vulnerability in iCMS 7.0.16 could allow an attacker to execute arbitrary web scripts. The connected sources confirm iCMS 7.0.16 is affected; no remediation details are provided in these documents. Exploitation status, affected versions beyond 7.0.16, and fixes are not specif...
CVE-2019-17583
This CVE affects idreamsoft iCMS 7.0.15 . The vulnerability is a Denial of Service via a crafted request that abuses the comment query in admincp.php (app=comment&perpage=...), causing resource consumption when querying many comments. Root cause is not explicitly detailed beyond a large positive ...
CVE-2020-18070
CVE-2020-18070 : In iCMS v7.0.13, a path traversal vulnerability in the PHP component database.admincp.php lets remote attackers delete folders by injecting commands in a crafted HTTP request to the do_del() method. Impact per CVSS indicates high integrity and availability impact (I/H, A/H) with ...
CVE-2019-8902
idreamsoft iCMS
CVE-2019-7160
CVE-2019-7160 affects idreamsoft iCMS 7.0.13. The vulnerability is a Directory Traversal in which an attacker can reach admincp.php?app=files with the udir parameter and files.admincp.php, enabling arbitrary PHP code execution from a ZIP file passed via admincp.php?app=apps with the zipfile param...
CVE-2021-44977
The CVE-2021-44977 entry concerns iCMS versions up to and including 8.0.0, where a directory traversal flaw allows an attacker to read arbitrary files. The vulnerability stems from an issue in iCMS that enables traversal of the server’s file system, potentially exposing sensitive data. No explici...
CVE-2021-44978
Summary: CVE-2021-44978 affects iCMS
CVE-2023-39805
CVE-2023-39805 affects iCMS v7.0.16, with a SQL injection vulnerability in the where parameter of admincp.php. The issue is documented across multiple feeds; the NVD entry lists a CVSS v3.1 base score of 9.8 (CRITICAL), indicating high impact on confidentiality, integrity, and availability. The r...
CVE-2023-40953
Affected software: iCMS 7.0.16. Vulnerability: Cross-Site Request Forgery (CSRF). Root cause (per sources): do_save() does not adequately verify that a request originates from a trusted user. Impact (as described): an attacker could forge a malicious request and trick a logged-in user into perfor...
CVE-2019-11427
The CVE-2019-11427 entry concerns an XSS vulnerability in idreamsoft iCMS 7.0.14, exploitable via the public/api.php?app=search&q parameter within the file app/search/search.app.php. Connected sources consistently describe the issue as a Cross-Site Scripting vulnerability in iCMS 7.0.14, with no ...
CVE-2019-7235
The CVE-2019-7235 entry concerns idreamsoft iCMS 7.0.13. A directory traversal flaw exists in admincp.php?app=apps&do=save that can be triggered through _app=/../ to designate an arbitrary directory; this path can then be deleted via an admincp.php?app=apps&do=uninstall request. The connected doc...
CVE-2023-39806
CVE-2023-39806 affects iCMS v7.0.16 with a SQL injection vulnerability in the bakupdata function. Reported in multiple sources, it yields a high/critical impact (CVSS v3.1: 9.8) via network access and no privileges required. The vulnerability concerns the bakupdata function, enabling potential SQ...
CVE-2019-17552
Concrete details found: CVE-2019-17552 affects idreamsoft iCMS v7.0.14. The vulnerability is a SQL injection in spider_project.admincp.php during the 'upload spider project scheme' feature, exploitable via a two-dimensional payload. The issue is documented across multiple sources (NVD, Red Hat, C...
CVE-2020-19142
The CVE-2020-19142 entry describes a vulnerability in iCMS 7 where an attacker can execute arbitrary OS commands by injecting shell metacharacters into the DB_PREFIX parameter used by install/install.php. The issue permits unauthenticated remote command execution with high to critical impact (as ...
CVE-2022-41496
CVE-2022-41496 affects iCMS v7.0.16 with a Server-Side Request Forgery (SSRF) via the url parameter in admincp.php. CVSSv3.1 base score 9.8 (CRITICAL) — network access, no user interaction required. Connected documents confirm the SSRF issue; PT-2022 offers a workaround: avoid or restrict the url...
CVE-2018-16332
CVE-2018-16332 affects iCMS 7.0.9 with a CSRF vulnerability in admincp.php?app=article&do=update. Connected sources describe an attack enabling remote exploitation to coerce administrators to review/approve articles; CVSS3 base score 8.8 (HIGH) with network attack vector, user interaction require...
CVE-2019-11426
CVE-2019-11426 is an XSS vulnerability affecting idreamsoft iCMS 7.0.14, exploitable via the admincp.php?app=config tab parameter in app/admincp/template/admincp.header.php. The issue is documented across multiple connected sources (NVD/Red Hat/EUVD/CVE listings) with CVSS metadata indicating MED...
CVE-2020-19527
CVE-2020-19527 affects iCMS 7.0.14. An attacker can execute arbitrary OS commands by injecting shell metacharacters into the DB_NAME parameter in install/install.php. Documented impact is critical (C/H/I/A) with network attack vector and no user interaction. No remediation/version details are pro...
CVE-2019-7234
The CVE-2019-7234 entry affects idreamsoft iCMS 7.0.13. The vulnerability stems from an error in admincp.php?app=apps&do=save (via _app=/../ in apps.admincp.php) that enables directory traversal, permitting creation of a ZIP archive containing contents of an arbitrary directory, which can then be...
CVE-2018-16365
CVE-2018-16365 : In idreamsoft iCMS v7.0.10, the admincp.php?app=group&do=save endpoint is vulnerable to Cross-Site Request Forgery (CSRF). The CNVD entry notes this CSRF can be exploited to add an administrator account, indicating a real impact vector affecting CMS login/privilege management. Af...
CVE-2019-7236
The CVE-2019-7236 issue affects idreamsoft iCMS 7.0.13 . The vulnerability is a directory traversal in the file editor/editor.admincp.php, exploitable via a payload that manipulates dir=../ to view files outside the intended directory. Core description in CNVD-2019-12125 confirms the vulnerabilit...
CVE-2018-13865
The CVE concerns idreamsoft iCMS 7.0.9. A cross-site scripting (XSS) flaw exists via the callback parameter in the public/api.php uploadpic endpoint, which bypasses the iWAF protection mechanism. This configuration allows arbitrary script execution in contexts relying on the affected API. No expl...
CVE-2018-16366
CVE-2018-16366 affects idreamsoft iCMS v7.0.10. The connected documents confirm a Cross-Site Request Forgery (CSRF) in admincp.php?app=user&do=save, enabling an attacker to perform privileged actions. One CNVD record notes an exploit path where a remote attacker could add an administrator account...
CVE-2018-16320
CVE-2018-16320 affects idreamsoft iCMS 7.0.11. A directory traversal flaw in admincp.php?app=config enables arbitrary PHP code execution from a ZIP file. Root cause: path traversal in the configuration admin endpoint. Impact: arbitrary code execution; exploitation status is not provided in the do...
CVE-2019-7237
CVE-2019-7237 affects idreamsoft iCMS 7.0.13 on Windows. The vulnerability is a Directory Traversal in editor/editor.admincp.php, exploitable via a crafted path (admincp.php?app=files&do=browse ..) to view files outside the intended directory. CNVD/CNVD-2019-12124 and CNVD entries describe the sa...
CVE-2020-24739
CVE-2020-24739 describes a CSRF flaw in iCMS v7.0.0 where, if the CSRF_TOKEN is missing, a background deletion action can delete all administrator accounts except the initial admin. This vulnerability is documented by multiple sources (Red Hat, CNVD, NVD, CVE lists) with the same basic descriptio...
CVE-2020-21141
CVE-2020-21141 affects iCMS v7.0.15 and is a Cross‑Site Request Forgery (CSRF) vulnerability exploitable via /admincp.php?app=members&do=add. The linked documents confirm the component (iCMS), version (7.0.15), and the attack class (CSRF) without specifying exploit details. NVD CVSS data indicate...
CVE-2026-30661
CVE-2026-30661 affects iCMS v8.0.0 in the User Management component (index.html). The vulnerability is a Cross-Site Scripting (XSS) flaw that allows an attacker to inject arbitrary web script or HTML via the regip or loginip parameters. The provided documents do not specify exploit details, affec...
CVE-2025-15394
CVE-2025-15394 affects iCMS up to version 8.0.0. The vulnerability resides in the Save function of app/config/ConfigAdmincp.php (POST Parameter Handler). Manipulating the config argument results in code injection. The issue can be exploited remotely, and public exploit code is available. Multiple...