Lucene search
+L
PhomeEmpirecms

17 matches found

CVE
CVE
added 2019/06/07 4:44 p.m.88 views

CVE-2018-19462

EmpireCMS up to version 7.5 is affected by CVE-2018-19462 due to a vulnerability in admin\db\DoSql.php. An attacker can remotely trigger SQL injection that uses a .php filename in a SELECT INTO OUTFILE statement targeting admin/admin.php, resulting in arbitrary PHP code execution on the server. T...

7.2CVSS7.7AI score0.0221EPSS
CVE
CVE
added 2022/05/03 5:2 p.m.74 views

CVE-2022-28585

CVE-2022-28585 affects EmpireCMS 7.5 with a SQL injection in AdClass.php. The root cause is lack of validation for external input in SQL statements, enabling potentially unauthorized access to database data. The CVSS details indicate high/severe impact (C/H I/H A/H) and network-based, low complex...

9.8CVSS9.7AI score0.00914EPSS
CVE
CVE
added 2019/05/27 10:49 p.m.73 views

CVE-2019-12361

EmpireCMS 7.5.0 is affected by an XSS flaw reachable via the from parameter to e/member/doaction.php. The issue is demonstrated using a CSRF payload that alters the dynamic page template, with the attacker able to trigger a registered activation mail page (e/template/member/regsend.php). This sum...

6.1CVSS6AI score0.00413EPSS
Web
CVE
CVE
added 2021/08/17 6:52 p.m.73 views

CVE-2020-22937

EmpireCMS 7.5 is affected by a remote code execution in the file e/install/index.php that lets an attacker write arbitrary PHP code to the installer, enabling full control of the system. This vulnerability is described across multiple sources as an RCE through the install file, with CVSS metrics ...

9.8CVSS9.9AI score0.0282EPSS
CVE
CVE
added 2019/06/07 4:46 p.m.69 views

CVE-2018-19461

CVE-2018-19461 affects EmpireCMS (through 7.5 and earlier). A cross-site scripting flaw exists in admin\db\DoSql.php that can be triggered via crafted SQL syntax to admin/admin.php. Affected component is the DoSql.php path; root cause involves improper handling of SQL in that file leading to stor...

4.8CVSS5.3AI score0.00933EPSS
CVE
CVE
added 2012/11/16 12:0 a.m.66 views

CVE-2012-5777

CVE-2012-5777 affects EmpireCMS 6.6, specifically the template parser’s ReplaceListVars function in e/class/connect.php. The issue is an eval injection that allows a user-assisted remote attacker to execute arbitrary PHP code via a crafted template, leading to potential full web-server compromise...

6.8CVSS7.9AI score0.02211EPSS
Web
CVE
CVE
added 2018/02/12 3:0 a.m.60 views

CVE-2018-6880

EmpireCMS versions 6.6–7.2 are affected by a vulnerability in class/connect.php where an array value in a parameter enables remote attackers to discover the full server path. impact: path disclosure; no exploitation details or patches are provided in the connected documents. Remediation status/no...

5.3CVSS5.3AI score0.01801EPSS
Web
CVE
CVE
added 2019/05/27 10:50 p.m.59 views

CVE-2019-12362

CVE-2019-12362 affects EmpireCMS 7.5.0. The vulnerability is an XSS flaw exploitable via the HTTP Referer header to the endpoint e/member/doaction.php, as documented across Red Hat, NVD, CVE lists and CNVD/CVELIST entries. The available sources identify a cross-site scripting risk in EmpireCMS 7....

6.1CVSS5.9AI score0.00826EPSS
Web
CVE
CVE
added 2018/02/12 3:0 a.m.57 views

CVE-2018-6881

CVE-2018-6881 affects EmpireCMS 6.6. The vulnerability allows remote attackers to discover the full filesystem path via an array value passed to admin/tool/ShowPic.php, indicating a path leakage weakness in ShowPic.php. Root cause: improper handling of a request parameter leading to information d...

5.3CVSS5.3AI score0.02244EPSS
Web
CVE
CVE
added 2024/01/08 12:0 a.m.53 views

CVE-2023-50162

EmpireCMS v7.5 is affected by CVE-2023-50162 due to a SQL injection in the DoExecSql function. The vulnerability allows remote attackers to run arbitrary SQL, potentially leading to code execution and exposure of sensitive data. Root cause: lack of validation of externally supplied SQL statements...

7.2CVSS7.5AI score0.0098EPSS
CVE
CVE
added 2018/09/02 6:0 p.m.48 views

CVE-2018-16339

CVE-2018-16339 affects EmpireCMS 7.0 and is described as a Cross‑Site Request Forgery vulnerability that can add administrators via the endpoint upload/e/admin/user/AddUser.php?enews=AddUser. The connected documents confirm the affected product and the vulnerable action, but do not provide remedi...

8.8CVSS8.6AI score0.00523EPSS
Web
CVE
CVE
added 2018/10/31 6:0 a.m.44 views

CVE-2018-18869

EmpireCMS 7.5 is affected by CVE-2018-18869. The issue is a directory-traversal in the upload/e/admin/ecmscom.php path that, via a ..%2F in a .php filename, allows remote attackers to upload and execute arbitrary code. CVSS metrics indicate high to critical risk (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A...

9.8CVSS9.6AI score0.03741EPSS
Web
CVE
CVE
added 2018/12/20 12:0 a.m.44 views

CVE-2018-20300

Empire CMS 7.5 is affected by CVE-2018-20300. A remote attacker can execute arbitrary PHP code by supplying a crafted ftemp parameter in the enews=EditMemberForm action, because the code is injected into a memberform.$fid.php file. Affected component: the enews EditMemberForm flow in Empire CMS 7...

9.8CVSS9.7AI score0.01577EPSS
CVE
CVE
added 2018/10/09 8:0 p.m.42 views

CVE-2018-18086

EmpireCMS v7.5 is affected by CVE-2018-18086 due to an arbitrary file upload vulnerability in the LoadInMod function of e/class/moddofun.php, exploitable by logged-in users. The issue is documented in multiple sources (NVD entry and related records). The connected documents confirm the vulnerable...

8.8CVSS8.7AI score0.01493EPSS
CVE
CVE
added 2019/03/07 10:0 p.m.42 views

CVE-2018-18449

EmpireCMS 7.5 is affected by a CSRF vulnerability that allows adding a user account via enews=AddUser on e/admin/user/ListUser.php (and related mentions in CVE records). The NVD entry for CVE-2018-18449 lists CVSS v2 base score 6.8 (MEDIUM) and CVSS v3 base score 8.8 (HIGH) with network attack ve...

8.8CVSS8.8AI score0.0065EPSS
Web
CVE
CVE
added 2026/01/02 1:32 a.m.22 views

CVE-2025-15422

EmpireSoft EmpireCMS (versions up to 8.0) is affected by a flaw in the IP Address Handler, specifically the eigenenegat ip logic in e/class/connect.php (function egetip). The vulnerability enables a remote attacker to bypass protection mechanisms, with an exploit already published. Multiple sourc...

7.5CVSS5.4AI score0.01066EPSS
CVE
CVE
added 2026/01/02 2:2 a.m.18 views

CVE-2025-15423

Summary: CVE-2025-15423 affects EmpireSoft EmpireCMS up to version 8.0. The vulnerability is in the CheckSaveTranFiletype function of e/class/connect.php, whose manipulation enables unrestricted (arbitrary) file uploads. Exploitation can be conducted remotely and has been publicly disclosed. Mult...

8.8CVSS6.4AI score0.00314EPSS