CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-44977
https://notcve.org/view.php?id=CVE-2021-44977
04 Feb 2022 — In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files. En iCMS versiones anteriores a 8.0.0 incluyéndola, una vulnerabilidad de salto de directorio permite a un atacante leer archivos arbitrarios • https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%960day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44978
https://notcve.org/view.php?id=CVE-2021-44978
04 Feb 2022 — iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution. iCMS versiones anteriores a 8.0.0 incluyéndola, permite a usuarios añadir y renderizar una plantilla comtom, que presenta una vulnerabilidad SSTI que causa una ejecución de código remota • https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E5%AF%BC%E8%87%B4%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C0day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 1CVE-2020-19142
https://notcve.org/view.php?id=CVE-2020-19142
10 Dec 2020 — iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php. Los atacantes de iCMS versión 7 ejecutan comandos arbitrarios del Sistema Operativo por medio de metacaracteres de shell en el parámetro DB_PREFIX para el archivo install/install.php. • https://github.com/idreamsoft/iCMS/issues/65 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24739
https://notcve.org/view.php?id=CVE-2020-24739
10 Sep 2020 — A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. Se encontró una vulnerabilidad de tipo CSRF en iCMS versión v7.0.0, en la cuenta de administrador de eliminación en segundo plano. Cuando falta el CSRF_TOKEN y aún puede solicitarlo normalmente, se eliminarán todos los administradores, excepto el administrador inicial • https://github.com/idreamsoft/iCMS/issues/76 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16677
https://notcve.org/view.php?id=CVE-2019-16677
21 Sep 2019 — An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF. Se detectó un problema en idreamsoft iCMS versión V7.0. admincp.php?app=members&do=del permite un ataque de tipo CSRF. • https://github.com/idreamsoft/iCMS/issues/76 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8902
https://notcve.org/view.php?id=CVE-2019-8902
18 Feb 2019 — An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI. Se ha descubierto un problema en idreamsoft iCMS hasta la versión 7.0.14. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) puede eliminar los artículos del usuario mediante el URI "public/api.php? • https://github.com/idreamsoft/iCMS/issues/56 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16332
https://notcve.org/view.php?id=CVE-2018-16332
02 Sep 2018 — An issue was discovered in iCMS 7.0.9. There is an admincp.php?app=article&do=update CSRF vulnerability. Se ha descubierto un problema en iCMS 7.0.9. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) en admincp.php? • https://github.com/idreamsoft/iCMS/issues/31 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15895
https://notcve.org/view.php?id=CVE-2018-15895
27 Aug 2018 — An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because the remote function in app/spider/spider_tools.class.php does not block DNS hostnames associated with private and reserved IP addresses, as demonstrated by 127.0.0.1 in an A record. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14858. Se ha descubierto una vulnerabilidad Server-Side Request Forgery (SSRF) en idreamsoft iCMS 7.0.11 debido a que la función remote en app/spider/spider_tools.class.php no bloquea l... • https://github.com/idreamsoft/iCMS/issues/40 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14858
https://notcve.org/view.php?id=CVE-2018-14858
02 Aug 2018 — An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 because the remote function in app/spider/spider_tools.class.php does not block private and reserved IP addresses such as 10.0.0.0/8. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14514. Se ha descubierto una vulnerabilidad Server-Side Request Forgery (SSRF) en idreamsoft iCMS en versiones anteriores a la V7.0.11 debido a que la función remote en app/spider/spider_tools.class.php no bloquea las direcciones IP ... • https://github.com/idreamsoft/iCMS/issues/33 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2018-14514
https://notcve.org/view.php?id=CVE-2018-14514
23 Jul 2018 — An SSRF vulnerability was discovered in idreamsoft iCMS V7.0.9 that allows attackers to read sensitive files, access an intranet, or possibly have unspecified other impact. Se ha descubierto una vulnerabilidad Server-Side Request Forgery (SSRF) en idreamsoft iCMS V7.0.9 que permite que los atacantes lean archivos sensibles, accedan a la intranet o provoquen otro tipo de impacto sin especificar. • https://github.com/idreamsoft/iCMS/issues/29 • CWE-918: Server-Side Request Forgery (SSRF) •