CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-44977
https://notcve.org/view.php?id=CVE-2021-44977
04 Feb 2022 — In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files. En iCMS versiones anteriores a 8.0.0 incluyéndola, una vulnerabilidad de salto de directorio permite a un atacante leer archivos arbitrarios • https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%960day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44978
https://notcve.org/view.php?id=CVE-2021-44978
04 Feb 2022 — iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution. iCMS versiones anteriores a 8.0.0 incluyéndola, permite a usuarios añadir y renderizar una plantilla comtom, que presenta una vulnerabilidad SSTI que causa una ejecución de código remota • https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E5%AF%BC%E8%87%B4%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C0day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 1CVE-2020-19527
https://notcve.org/view.php?id=CVE-2020-19527
10 Dec 2020 — iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php. Los atacantes de iCMS versión 7.0.14, ejecutan comandos arbitrarios del sistema operativo por medio de metacaracteres de shell en el parámetro DB_NAME para el archivo install/install.php. • https://github.com/idreamsoft/iCMS/issues/66 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17552
https://notcve.org/view.php?id=CVE-2019-17552
14 Oct 2019 — An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload. Se ha detectado un problema en idreamsoft iCMS versión 7.0.14. Existe una vulnerabilidad de inyección de SQL spider_project.admincp.php en la función ''upload spider project scheme' mediante una carga útil de dos dimensiones. • https://github.com/idreamsoft/iCMS/issues/77 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11427
https://notcve.org/view.php?id=CVE-2019-11427
21 Apr 2019 — An XSS issue was discovered in app/search/search.app.php in idreamsoft iCMS 7.0.14 via the public/api.php?app=search q parameter. Se descubrió un problema de cross-site scripting (XSS) en app/search/search.app.php en idreamsoft iCMS versión 7.0.14 a través del parámetro public/api.php?app=search q. • https://github.com/idreamsoft/iCMS/issues/64 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11426
https://notcve.org/view.php?id=CVE-2019-11426
21 Apr 2019 — An XSS issue was discovered in app/admincp/template/admincp.header.php in idreamsoft iCMS 7.0.14 via the admincp.php?app=config tab parameter. Un problema de cross-site-scripting (XSS) fue descubierto en app/admincp/template/admincp.header.php en idreamsoft iCMS versión 7.0.14 a través del parámetro admincp.php?app=config tab. • https://github.com/idreamsoft/iCMS/issues/64 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8902
https://notcve.org/view.php?id=CVE-2019-8902
18 Feb 2019 — An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI. Se ha descubierto un problema en idreamsoft iCMS hasta la versión 7.0.14. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) puede eliminar los artículos del usuario mediante el URI "public/api.php? • https://github.com/idreamsoft/iCMS/issues/56 • CWE-352: Cross-Site Request Forgery (CSRF) •