Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Icmsdev Subscribe
Filtered by product Icms
Total 16 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-14976 1 Icmsdev 1 Icms 2019-08-15 4.3 MEDIUM 6.1 MEDIUM
iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter.
CVE-2019-6259 1 Icmsdev 1 Icms 2019-01-16 7.5 HIGH 9.8 CRITICAL
An issue was discovered in idreamsoft iCMS V7.0.13. There is SQL Injection via the app/article/article.admincp.php _data_id parameter.
CVE-2018-18702 1 Icmsdev 1 Icms 2018-12-04 7.5 HIGH 9.8 CRITICAL
spider.admincp.php in iCMS v7.0.11 allows SQL injection via admincp.php?app=spider&do=import_rule because the upfile content is base64 decoded, deserialized, and used for database insertion.
CVE-2018-16314 1 Icmsdev 1 Icms 2018-11-13 6.8 MEDIUM 8.8 HIGH
An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header.
CVE-2018-15895 1 Icmsdev 1 Icms 2018-11-07 5.0 MEDIUM 7.5 HIGH
An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because the remote function in app/spider/spider_tools.class.php does not block DNS hostnames associated with private and reserved IP addresses, as demonstrated by 127.0.0.1 in an A record. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14858.
CVE-2018-14858 1 Icmsdev 1 Icms 2018-10-03 5.0 MEDIUM 7.5 HIGH
An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 because the remote function in app/spider/spider_tools.class.php does not block private and reserved IP addresses such as 10.0.0.0/8. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14514.
CVE-2018-14514 1 Icmsdev 1 Icms 2018-09-17 7.5 HIGH 9.8 CRITICAL
An SSRF vulnerability was discovered in idreamsoft iCMS V7.0.9 that allows attackers to read sensitive files, access an intranet, or possibly have unspecified other impact.
CVE-2018-14415 1 Icmsdev 1 Icms 2018-09-17 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
CVE-2018-12498 1 Icmsdev 1 Icms 2018-07-27 7.5 HIGH 9.8 CRITICAL
spider.admincp.php in iCMS v7.0.8 has SQL Injection via the id parameter in an app=spider&do=batch request to admincp.php.
CVE-2018-10222 1 Icmsdev 1 Icms 2018-05-22 6.8 MEDIUM 8.8 HIGH
An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulnerability that can add a Column via /admincp.php?app=article_category&do=save&frame=iPHP.
CVE-2018-10250 1 Icmsdev 1 Icms 2018-05-21 3.5 LOW 5.4 MEDIUM
iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a weixin_category action, aka a WeChat Classified Management keyword search.
CVE-2018-10117 1 Icmsdev 1 Icms 2018-05-18 6.8 MEDIUM 8.8 HIGH
An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP.
CVE-2018-9923 1 Icmsdev 1 Icms 2018-04-17 6.8 MEDIUM 8.8 HIGH
An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request.
CVE-2018-9924 1 Icmsdev 1 Icms 2018-04-17 7.5 HIGH 9.8 CRITICAL
An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request.
CVE-2018-9925 1 Icmsdev 1 Icms 2018-04-17 3.5 LOW 5.4 MEDIUM
An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists via the nickname field in an admincp.php?app=user&do=save&frame=iPHP request.
CVE-2018-9922 1 Icmsdev 1 Icms 2018-04-17 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path leakage exists via an invalid nickname field that reveals a core/library/weixin.class.php pathname.