Lucene search
K
MingsoftMcms

47 matches found

CVE
CVE
added 2024/02/05 12:0 a.m.212 views

CVE-2024-22567

Summary (CVE-2024-22567): A file-upload vulnerability in MCMS 5.3.5 allows an attacker to upload arbitrary files via a crafted POST to /ms/file/upload.do. The issue is documented across multiple sources (Red Hat, Veracode, GitHub advisory, OSV and others) and is rated with high impact (confidenti...

8.8CVSS8.6AI score0.17789EPSS
CVE
CVE
added 2022/01/20 11:40 p.m.154 views

CVE-2022-23315

MCMS v5.2.4 is affected by an arbitrary file upload vulnerability in the component /ms/template/writeFileContent.do. The root cause, as described across connected sources, is insufficient validation/filtration of uploaded file types, enabling attackers to upload arbitrary files. This impacts conf...

9.8CVSS9.6AI score0.01819EPSS
CVE
CVE
added 2022/01/20 11:40 p.m.129 views

CVE-2022-22928

CVE-2022-22928 concerns MingSoft MCMS v5.2.4, where a hardcoded Shiro key is the root cause. This enables attackers to exploit the key and execute arbitrary code. Available references from NVD and vendor CNVD/Red Hat entries corroborate a remote, unauthenticated impact with high to critical sever...

9.8CVSS9.7AI score0.025EPSS
CVE
CVE
added 2022/04/05 12:16 a.m.129 views

CVE-2022-26585

Mingsoft MCMS v5.2.7 contains an SQL injection vulnerability in the /cms/content/list API (categoryId parameter). It allows unauthenticated attackers to execute arbitrary SQL on the backend database. Public sources (NUCLEI template, CIRCL, CNVD, GHSA, etc.) confirm the issue and its impact; explo...

9.8CVSS9.8AI score0.05617EPSS
CVE
CVE
added 2022/03/03 6:1 p.m.125 views

CVE-2022-25125

MCMS v5.2.4 contains a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp. An attacker can potentially obtain sensitive information, modify data, or execute unauthorized administrative operations in the context of the affected site. CVSS details indicate a high/chary ...

9.8CVSS9.8AI score0.07173EPSS
Web
CVE
CVE
added 2022/02/18 7:36 p.m.121 views

CVE-2021-46063

CVE-2021-46063 corresponds to a Server-Side Template Injection (SSTI) in MCMS v5.2.5, via the Template Management module. The issue is a SSTI vulnerability in MCMS 5.2.5 that can affect integrity and availability (per CVSS-3.1 base metrics: 9.1, CRITICAL) and is network-exploitable with low attac...

9.1CVSS9.3AI score0.02731EPSS
CVE
CVE
added 2022/03/03 6:1 p.m.121 views

CVE-2022-23898

MCMS v5.2.5 contains a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml. Exploitation could allow an attacker to read/modify data and perform unauthorized administrative operations within the affected site; CVSSv3.1 is 9.8 (CRITICAL). Remediation: apply the ven...

9.8CVSS9.8AI score0.07734EPSS
CVE
CVE
added 2022/03/04 9:42 p.m.117 views

CVE-2021-46384

MCMS

9.8CVSS9.5AI score0.02077EPSS
CVE
CVE
added 2022/02/18 6:32 p.m.115 views

CVE-2021-46037

MCMS v5.2.4 is affected by CVE-2021-46037: an arbitrary file deletion vulnerability via the component /template/unzip.do. The issue is described across multiple sources as enabling deletion of files, with CVSS indicators in the NVD entry (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H; base score 8.1 in CVS...

8.1CVSS8.1AI score0.01017EPSS
CVE
CVE
added 2022/02/18 7:36 p.m.114 views

CVE-2021-46062

MCMS 5.2.5 is affected by an arbitrary file deletion vulnerability in the oldFileName handling. The issue arises from ms-basic

7.1CVSS7AI score0.00755EPSS
CVE
CVE
added 2022/02/18 6:32 p.m.111 views

CVE-2021-46036

The vulnerability CVE-2021-46036 affects MCMS v5.2.4, via an arbitrary file upload in the component /ms/file/uploadTemplate.do. The Red Hat, GitHub advisories, OSV, and CVE records in connected sources corroborate an RCE risk from this upload path. The root cause is not explicitly detailed across...

9.8CVSS9.7AI score0.03507EPSS
CVE
CVE
added 2022/01/20 11:40 p.m.108 views

CVE-2022-23314

Affected product. MCMS v5.2.4. Vulnerability. SQL injection via /ms/mdiy/model/importJson.do. Root cause: lack of filtering/escaping of SQL data (per CNVD/CNNVD/Red Hat entries). Impact. High severity (CVSS v3.1: 9.8; CVSS v2.0: 7.5) with network access, no authentication, and full impact on conf...

9.8CVSS9.8AI score0.01595EPSS
Web
CVE
CVE
added 2022/05/27 1:27 p.m.107 views

CVE-2022-30506

CVE-2022-30506 affects MCMS 5.2.7. The vulnerability is an arbitrary file upload via a crafted ZIP file that allows an attacker to execute arbitrary code on the server. Connected sources corroborate a low-barrier remote vector and potential code execution; however, explicit patch details or versi...

9.8CVSS9.6AI score0.02539EPSS
CVE
CVE
added 2022/03/03 6:1 p.m.106 views

CVE-2022-23899

CVE-2022-23899 concerns MCMS v5.2.5, where a SQL injection vulnerability exists through the search.do endpoint in the file /web/MCmsAction.java. The issue is documented across multiple feeds (NVD, Red Hat, CNVD, OSV, GHSA, etc.) and consistently described as SQL injection in the MingSoft MCMS sys...

9.8CVSS9.8AI score0.01064EPSS
Web
CVE
CVE
added 2022/02/17 3:44 p.m.100 views

CVE-2021-44868

The vulnerability CVE-2021-44868 affects Ming-soft MCMS v5.1. A SQL injection flaw exists in the /ms/cms/content/list.do endpoint, enabling potentially unauthorized access to backend data. Documented under CVSS metrics, the issue has a CVSS v3.1 base score of 9.8 (CRITICAL) with NETWORK attack ve...

9.8CVSS9.5AI score0.01364EPSS
In wild
CVE
CVE
added 2022/04/22 7:51 p.m.100 views

CVE-2022-27340

MCMS v5.2.7 is affected by a Cross-Site Request Forgery via the /role/saveOrUpdateRole.do endpoint. The vulnerability allows an attacker to escalate privileges and modify data, effectively bypassing intended actions on behalf of an authenticated user. Root cause cited across multiple sources is C...

8.8CVSS8.8AI score0.00665EPSS
CVE
CVE
added 2022/08/16 12:51 p.m.98 views

CVE-2022-36599

Affected software: Mingsoft MCMS 5.2.8. Vulnerability: SQL injection in the /mdiy/model/delete URI via models Lists. Root cause / impact: Not explicitly detailed beyond the SQLi vulnerability; CVSS suggests CRITICAL impact (C/H, I/H, A/H) with network access. Exploitation status: Not provided in ...

9.8CVSS9.8AI score0.00873EPSS
Web
CVE
CVE
added 2025/04/21 12:0 a.m.98 views

CVE-2025-29287

CVE-2025-29287 affects MCMS v5.4.3 via the ueditor component, enabling arbitrary code execution through crafted file uploads. The vulnerability is known across multiple advisories (Red Hat, GHSA, OSV, NVD, Snyk, etc.), with CVSS v3.1 base score 9.8 (CRITICAL). Public references describe an arbitr...

9.8CVSS7.8AI score0.00626EPSS
CVE
CVE
added 2022/01/20 11:40 p.m.97 views

CVE-2022-22929

CVE-2022-22929 affects MingSoft MCMS v5.2.4, with an arbitrary file upload vulnerability in the New Template module. The vulnerability enables remote code execution via a crafted ZIP file, based on the description in multiple connected sources. Exploitation details, affected versions beyond v5.2....

9.8CVSS9.6AI score0.02576EPSS
CVE
CVE
added 2022/08/16 12:49 p.m.96 views

CVE-2022-36272

Summary of CVE-2022-36272 (Mingsoft MCMS 5.2.8) : A SQL injection vulnerability is present in the /mdiy/page/verify URI via the fieldName parameter in Mingsoft MCMS 5.2.8. Public sources describe impact as arbitrary SQL execution due to improper handling of the validated function in PageAction.ja...

9.8CVSS9.8AI score0.00873EPSS
Web
CVE
CVE
added 2022/07/01 8:10 p.m.88 views

CVE-2022-31943

CVE-2022-31943 affects MCMS v5.2.8 and is a validated arbitrary file upload vulnerability. Red Hat’s RH:CVE entry corroborates the issue; NVD metrics rate it as Critical (CVSSv3.1 9.8) with network access and no user interaction required. The initial data confirms the affected product and vulnera...

9.8CVSS9.3AI score0.01471EPSS
CVE
CVE
added 2022/12/08 12:0 a.m.83 views

CVE-2022-4350

CVE-2022-4350 affects Mingsoft MCMS 5.2.8. The vulnerability is in an unknown function within the file search.do; manipulating the content_title argument leads to cross-site scripting (XSS). Remote exploitation is possible, and the exploit has been disclosed publicly (VDB-215112). Multiple source...

6.1CVSS4.8AI score0.00398EPSS
CVE
CVE
added 2022/12/09 12:0 a.m.81 views

CVE-2022-4375

CVE-2022-4375 affects Mingsoft MCMS up to version 5.2.9. The vulnerability is a SQL injection in the /cms/category/list endpoint caused by improper handling of the sqlWhere parameter, allowing remote exploitation. Multiple connected sources confirm the issue and its impact, with upgrade to versio...

9.8CVSS8.3AI score0.0289EPSS
Web
CVE
CVE
added 2022/12/21 12:0 a.m.81 views

CVE-2022-4640

Mingsoft MCMS 5.2.9 is affected; the vulnerability resides in the save function of the Article Handler, enabling cross-site scripting. Reports indicate remote exploitation with a public exploit; upgrade to a newer component version is recommended. If needed, a temporary workaround from PT-Securit...

5.4CVSS4.4AI score0.00408EPSS
CVE
CVE
added 2022/05/31 9:22 p.m.80 views

CVE-2022-29647

MCMS 5.2.7 is affected by a Cross-Site Request Forgery (CSRF) vulnerability that enables an attacker to add an administrator account via the path ms/basic/manager/save.do. Public sources in the connected set consistently describe this flaw in MingSoft MCMS and detail the injection vector through ...

8.8CVSS8.6AI score0.00642EPSS
CVE
CVE
added 2018/10/30 6:0 a.m.77 views

CVE-2018-18830

MCMS 4.6.5 is affected by a flaw in com\mingsoft\basic\action\web\FileAction.java where the upload interface does not verify login status, allowing an attacker to upload JSP content disguised as a .png file and then coerce a suffix change to .jsp to access a stored path and execute arbitrary JSP ...

9.8CVSS9.7AI score0.01205EPSS
CVE
CVE
added 2018/10/30 6:0 a.m.75 views

CVE-2018-18831

The CVE-2018-18831 issue affects MCMS 4.6.5, specifically in com\mingsoft\cms\action\GeneraterAction.java. An attacker can exploit a directory traversal via the position parameter in the url to write a .jsp file to an arbitrary directory, enabling arbitrary file write. The connected advisories de...

7.5CVSS7.4AI score0.01543EPSS
CVE
CVE
added 2022/05/02 1:24 p.m.75 views

CVE-2022-27466

MCMS v5.2.27 contains a SQL injection vulnerability in the orderBy parameter of /dict/list.do. This is documented in CVE-2022-27466 across multiple feeds (NVD entry confirms vulnerable component and endpoint). The Connected documents corroborate the affected product version and vulnerable paramet...

9.8CVSS9.7AI score0.01603EPSS
Web
CVE
CVE
added 2022/05/11 5:38 p.m.74 views

CVE-2022-30048

CVE-2022-30048 affects Mingsoft MCMS 5.2.7 and is a SQL injection vulnerability in the /mdiy/dict/list endpoint exploited through the orderBy parameter. Root cause: unvalidated input leading to SQL injection; impact includes potential data exposure or modification as indicated by CVSS metrics (CV...

9.8CVSS9.8AI score0.01455EPSS
Web
CVE
CVE
added 2023/07/28 7:0 a.m.72 views

CVE-2023-3990

Mingsoft MCMS

6.1CVSS4.7AI score0.01365EPSS
CVE
CVE
added 2022/05/11 5:36 p.m.69 views

CVE-2022-30047

CVE-2022-30047 affects Mingsoft MCMS v5.2.7, with a SQL injection vulnerability in the /mdiy/dict/listExcludeApp URI via the orderBy parameter. The vulnerability is documented with CVSS v3.1 metrics (9.8, CRITICAL) and CVSS v2 metrics (7.5, HIGH). Connected sources consistently describe SQL injec...

9.8CVSS9.8AI score0.01455EPSS
Web
CVE
CVE
added 2021/01/22 3:35 p.m.68 views

CVE-2020-23262

CVE-2020-23262 : Ming-soft MCMS v5.0 is vulnerable to unauthenticated SQL injection via /mcms/view.do. The root cause is improper input handling that allows arbitrary SQL commands, with potential high/critical impact across confidentiality, integrity, and availability. The connected sources (GHSA...

9.8CVSS9.8AI score0.01145EPSS
Web
CVE
CVE
added 2022/01/26 12:0 a.m.68 views

CVE-2021-46386

Mingsoft MCMS

9.8CVSS9.6AI score0.03111EPSS
CVE
CVE
added 2023/01/24 12:0 a.m.66 views

CVE-2022-47042

CVE-2022-47042 affects MingSoft MCMS v5.2.10 and earlier. The vulnerability is an arbitrary file write via the component path ms/template/writeFileContent.do . Root cause described as an unrestricted file write in that endpoint, enabling an attacker to write arbitrary files. The CVSS 3.1 base met...

8.8CVSS8.8AI score0.01025EPSS
Web
CVE
CVE
added 2022/01/20 11:40 p.m.64 views

CVE-2022-22930

MCMS v5.2.4 Template Management is affected by an RCE vulnerability. The issue stems from insufficient input handling in the Template Management function, enabling an attacker to execute arbitrary code via a crafted payload. Multiple connected sources (Red Hat, GHSA, CNVD, CNNVD, NVD, etc.) descr...

9.8CVSS9.7AI score0.23694EPSS
CVE
CVE
added 2023/05/08 12:0 a.m.62 views

CVE-2020-22755

MCMS (MingSoft MCMS) is affected by CVE-2020-22755 due to an unrestricted file upload vulnerability in the thumbnail handling, enabling arbitrary code execution. Public references also describe a related issue in MCMS v5.2.8 (CVE-2022-31943) where an arbitrary file upload flaw exists, reinforcing...

8.8CVSS9.2AI score0.00924EPSS
CVE
CVE
added 2022/01/26 6:35 p.m.61 views

CVE-2021-46385

CVE-2021-46385 affects MingSoft MCMS (versions

7.5CVSS7.6AI score0.01524EPSS
Web
CVE
CVE
added 2023/04/04 12:0 a.m.58 views

CVE-2020-20913

CVE-2020-20913 describes a SQL Injection in Ming-Soft MCMS v4.7.2 where the basic_title parameter can be manipulated to run arbitrary SQL, potentially enabling remote code execution. The underlying issue is insufficient input validation of the basic_title parameter, allowing attacker-controlled S...

9.8CVSS9.8AI score0.01423EPSS
CVE
CVE
added 2022/01/26 4:14 p.m.58 views

CVE-2021-46383

MCMS (MingSoft MCMS)

7.5CVSS7.6AI score0.01563EPSS
CVE
CVE
added 2024/09/03 12:0 a.m.57 views

CVE-2024-42991

CVE-2024-42991 affects MCMS v5.4.1, where a front-end file upload vulnerability can lead to remote command execution. The Red Hat / NVD / OSV / CVE records agree on the symptom; exploitation details are not provided in the connected documents. A practical mitigation mentioned in PT-2024-30245 is ...

8.1CVSS7AI score0.00806EPSS
CVE
CVE
added 2024/01/16 12:0 a.m.52 views

CVE-2023-51282

CVE-2023-51282 affects mingSoft MCMS v5.2.4. The issue allows a remote attacker to obtain sensitive information by sending a crafted script to the password parameter, with a CVSS v3.1 base score of 7.5 (HIGH) and network attack Vector, low attack complexity, no privileges required, no user intera...

7.5CVSS7.2AI score0.01119EPSS
CVE
CVE
added 2023/12/30 12:0 a.m.48 views

CVE-2023-50578

Mingsoft MCMS v5.2.9 is affected by a SQL injection via the categoryType parameter at /content/list.do. The vulnerability stems from unsanitized input, enabling attackers to execute arbitrary SQL commands. Reported impact includes potential data leakage, modification, or deletion. CVSSv3.1 is hig...

9.8CVSS9.8AI score0.02222EPSS
Web
CVE
CVE
added 2018/09/23 6:0 p.m.44 views

CVE-2018-17366

MCMS 4.6.5 is affected by a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. The CVSS metrics indicate high impact (CVSS‑3.0 base score 8.8, HIGH) with network attack vector and user interaction required. The CVSS‑2 entry is 6.8 (MEDIUM). No exploitation deta...

8.8CVSS8.6AI score0.00572EPSS
CVE
CVE
added 2025/10/17 12:0 a.m.37 views

CVE-2025-56316

MCMS 5.5.0 is vulnerable to SQL injection in the content_title parameter of /cms/content/list during FreeMarker template rendering. Exploitation allows arbitrary SQL via unsanitized input. Impact is high (CVE-2025-56316 family). Remediation: upgrade net.mingsoft:ms-mcms to 6.0.2+ (per Snyk entry)...

9.8CVSS8.1AI score0.0058EPSS
Web
CVE
CVE
added 2026/02/18 8:2 p.m.17 views

CVE-2026-2666

mingSoft MCMS 6.1.1 is affected. The vulnerability resides in the Template Archive Handler’s /ms/file/uploadTemplate.do where manipulating the File argument enables unrestricted file uploads, and the attack can be carried out remotely. Public exploit information exists. Impact is described consis...

7.2CVSS5.3AI score0.00362EPSS
Web
CVE
CVE
added 2025/10/23 12:0 a.m.12 views

CVE-2025-60837

MCMS v6.0.1 is affected by a reflected XSS vulnerability (CVE-2025-60837). The issue enables an attacker to execute arbitrary JavaScript in a user’s browser via a crafted payload. The CVE entry lists CVSS v3.1 base metrics: AV:N, AC:L, PR:N, UI:R, S:C, C:L, I:L, A:N, with a base score of 6.1 (Med...

6.1CVSS5.6AI score0.00184EPSS
CVE
CVE
added 2025/10/10 12:0 a.m.11 views

CVE-2025-60838

MCMS v6.0.1 has an arbitrary file upload vulnerability (CVE-2025-60838) that could allow an attacker to execute arbitrary code by uploading a crafted file. This vulnerability is consistently described across multiple sources (NVD, Red Hat, ENISA EUVD, CVE List, CNNVD, etc.). The available documen...

6.5CVSS7.5AI score0.0024EPSS