CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14858
https://notcve.org/view.php?id=CVE-2018-14858
02 Aug 2018 — An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 because the remote function in app/spider/spider_tools.class.php does not block private and reserved IP addresses such as 10.0.0.0/8. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14514. Se ha descubierto una vulnerabilidad Server-Side Request Forgery (SSRF) en idreamsoft iCMS en versiones anteriores a la V7.0.11 debido a que la función remote en app/spider/spider_tools.class.php no bloquea las direcciones IP ... • https://github.com/idreamsoft/iCMS/issues/33 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2018-14514
https://notcve.org/view.php?id=CVE-2018-14514
23 Jul 2018 — An SSRF vulnerability was discovered in idreamsoft iCMS V7.0.9 that allows attackers to read sensitive files, access an intranet, or possibly have unspecified other impact. Se ha descubierto una vulnerabilidad Server-Side Request Forgery (SSRF) en idreamsoft iCMS V7.0.9 que permite que los atacantes lean archivos sensibles, accedan a la intranet o provoquen otro tipo de impacto sin especificar. • https://github.com/idreamsoft/iCMS/issues/29 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14415
https://notcve.org/view.php?id=CVE-2018-14415
19 Jul 2018 — An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen. Se ha descubierto un problema en idreamsoft iCMS en versiones anteriores a la 7.0.10. Existe Cross-Site Scripting (XSS) mediante el cuarto y el quinto elemento de entrada en la pantalla admincp.php? • https://github.com/idreamsoft/iCMS/issues/28 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13865
https://notcve.org/view.php?id=CVE-2018-13865
10 Jul 2018 — An issue was discovered in idreamsoft iCMS 7.0.9. XSS exists via the callback parameter in a public/api.php uploadpic request, bypassing the iWAF protection mechanism. Se ha descubierto un problema en idreamsoft iCMS 7.0.9. Existe Cross-Site Scripting mediante el parámetro callback en una petición uploadpic en public/api.php, omitiendo el mecanismo de protección iWAF. • https://github.com/idreamsoft/iCMS/issues/27 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-12498
https://notcve.org/view.php?id=CVE-2018-12498
15 Jun 2018 — spider.admincp.php in iCMS v7.0.8 has SQL Injection via the id parameter in an app=spider&do=batch request to admincp.php. spider.admincp.php en iCMS v7.0.8 tiene una inyección SQL mediante el parámetro id en una petición app=spiderdo=batch a admincp.php. • https://github.com/idreamsoft/iCMS/issues/26 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10250
https://notcve.org/view.php?id=CVE-2018-10250
20 Apr 2018 — iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a weixin_category action, aka a WeChat Classified Management keyword search. iCMS V7.0.8 tiene Cross-Site Scripting (XSS) mediante el parámetro keywords en admincp.php en una acción weixin_category. Esto también se conoce como búsqueda de palabras clave en WeChat Classified Management. • https://github.com/idreamsoft/iCMS/issues/22 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10222
https://notcve.org/view.php?id=CVE-2018-10222
19 Apr 2018 — An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulnerability that can add a Column via /admincp.php?app=article_category&do=save&frame=iPHP. Se ha descubierto un problema en idreamsoft iCMS V7.0. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) que puede añadir una columna mediante /admincp.php? • https://github.com/idreamsoft/iCMS/issues/21 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10117
https://notcve.org/view.php?id=CVE-2018-10117
15 Apr 2018 — An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP. Se ha descubierto un problema en idreamsoft iCMS V7.0.7. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) que puede añadir una cuenta admin mediante admincp.php? • https://github.com/idreamsoft/iCMS/issues/20 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-9923
https://notcve.org/view.php?id=CVE-2018-9923
10 Apr 2018 — An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request. Se ha descubierto un problema en idreamsoft iCMS hasta la versión 7.0.7. Existe CSRF en admincp.php, tal y como queda demostrado con la adición de un artículo mediante una petición app=articledo=saveframe=iPHP. • https://github.com/idreamsoft/iCMS/issues/17 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-9922
https://notcve.org/view.php?id=CVE-2018-9922
10 Apr 2018 — An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path leakage exists via an invalid nickname field that reveals a core/library/weixin.class.php pathname. Se ha descubierto un problema en idreamsoft iCMS hasta la versión 7.0.7. Existe un filtrado de ruta física mediante un campo nickname no válido que revela un nombre de ruta core/library/weixin.class.php. • https://github.com/idreamsoft/iCMS/issues/16 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •