CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4377 – S-CMS Contact Information Page cross site scripting
https://notcve.org/view.php?id=CVE-2022-4377
09 Dec 2022 — A vulnerability was found in S-CMS 5.0 Build 20220328. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Contact Information Page. The manipulation of the argument Make a Call leads to cross site scripting. The attack can be launched remotely. • https://github.com/mengdeyin/main/blob/main/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23336
https://notcve.org/view.php?id=CVE-2022-23336
14 Feb 2022 — S-CMS v5.0 was discovered to contain a SQL injection vulnerability in member_pay.php via the O_id parameter. Se ha detectado que S-CMS versión v5.0, contiene una vulnerabilidad de inyección SQL en el archivo member_pay.php por medio del parámetro O_id • http://note.youdao.com/noteshare?id=30c7cdeac5c7611fdf64379eb4569269 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20426
https://notcve.org/view.php?id=CVE-2020-20426
22 Dec 2021 — S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in /function/booksave.php. S-CMS Government Station Building System versión v5.0, contiene una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo /function/booksave.php • http://government.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20425
https://notcve.org/view.php?id=CVE-2020-20425
22 Dec 2021 — S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in the search function. S-CMS Government Station Building System versión v5.0, contiene una vulnerabilidad de tipo cross-site scripting (XSS) en la función search • http://government.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19954
https://notcve.org/view.php?id=CVE-2020-19954
14 Oct 2021 — An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files. Se ha detectado una vulnerabilidad de tipo XML External Entity (XXE) en el archivo /api/notify.php en S-CMS versión 3.0, que permite a atacantes leer archivos arbitrarios • https://github.com/zhuxianjin/vuln_repo/blob/master/S-CMS%20v3.0%20XXE%20Arbitrary%20File%20Read%20Vulnerability.md • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37270
https://notcve.org/view.php?id=CVE-2021-37270
27 Sep 2021 — There is an unauthorized access vulnerability in the CMS Enterprise Website Construction System 5.0. Attackers can use this vulnerability to directly access the specified background path without logging in to the background to obtain the background administrator authority. Se presenta una vulnerabilidad de acceso no autorizado en CMS Enterprise Website Construction System versión 5.0. Unos atacantes pueden usar esta vulnerabilidad para acceder directamente a la ruta de fondo especificada sin iniciar sesión ... • https://github.com/purple-WL/S-cms-Unauthorized • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-19158
https://notcve.org/view.php?id=CVE-2020-19158
15 Sep 2021 — Cross Site Scripting (XSS) in S-CMS build 20191014 and earlier allows remote attackers to execute arbitrary code via the 'Site Title' parameter of the component '/data/admin/#/app/config/'. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en S-CMS versiones build 20191014 y anteriores, permite a atacantes remotos ejecutar código arbitrario por medio del parámetro "Site Title" del componente "/data/admin/#/app/config/" • https://github.com/TL-swallow/swallow/blob/master/S-CMS%20XSS1.docx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20340
https://notcve.org/view.php?id=CVE-2020-20340
01 Sep 2021 — A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information. Una vulnerabilidad de inyección SQL en el componente 4.edu.php\conn\function.php de S-CMS versión v1.0, permite a atacantes acceder a información confidencial de la base de datos • https://github.com/mntn0x/POC/blob/master/S-CMS/S-CMS-SQL%E6%B3%A8%E5%85%A5.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19046
https://notcve.org/view.php?id=CVE-2020-19046
31 Aug 2021 — Cross Site Scripting (XSS) in S-CMS v1.0 allows remote attackers to execute arbitrary code via the component '/admin/tpl.php?page='. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en S-CMS versión v1.0, permite a atacantes remotos ejecutar código arbitrario por medio del componente "/admin/tpl.php?page=" • https://github.com/Aoyanm/audit/issues/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20701
https://notcve.org/view.php?id=CVE-2020-20701
27 Jul 2021 — A stored cross site scripting (XSS) vulnerability in /app/config/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. Una vulnerabilidad de tipo cross site scripting (XSS) almacenado en /app/config/de S-CMS PHP versión v3.0 permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada • https://github.com/Peithon/site_XSS/blob/master/readme.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •