CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20476
https://notcve.org/view.php?id=CVE-2018-20476
26 Dec 2018 — An issue was discovered in S-CMS 3.0. It allows XSS via the admin/demo.php T_id parameter. Se ha descubierto un problema en S-CMS 3.0. Permite Cross-Site Scripting (XSS) mediante el parámetro T_id en admin/demo.php. • https://shell01.top/2018/12/14/scms-xss/#more • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20480
https://notcve.org/view.php?id=CVE-2018-20480
26 Dec 2018 — An issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter. Se ha descubierto un problema en S-CMS 1.0. Permite la inyección SQL mediante el parámetro P_id en js/pic.php. • https://xz.aliyun.com/t/3614#toc-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20478
https://notcve.org/view.php?id=CVE-2018-20478
26 Dec 2018 — An issue was discovered in S-CMS 1.0. It allows reading certain files, such as PHP source code, via the admin/download.php DownName parameter with a mixed-case extension, as demonstrated by a DownName=download.Php value. Se ha descubierto un problema en S-CMS 1.0. Permite la lectura de ciertos archivos, como el código fuente en PHP, mediante el parámetro DownName en admin/download.php con una extensión con mayúsculas y minúsculas. Esto queda demostrado por un valor DownName=download.Php. • https://xz.aliyun.com/t/3614#toc-0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20479
https://notcve.org/view.php?id=CVE-2018-20479
26 Dec 2018 — An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter. Se ha descubierto un problema en S-CMS 1.0. Permite la inyección SQL mediante el parámetro S_id en wap_index.php? • https://xz.aliyun.com/t/3614#toc-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20018
https://notcve.org/view.php?id=CVE-2018-20018
10 Dec 2018 — S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI. S-CMS V3.0 tiene una inyección SQL mediante el parámetro S_id, tal y como queda demostrado con el URI /1/?type=productinfoS_id=140. • https://github.com/QQ704568679/-/blob/master/README.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19332
https://notcve.org/view.php?id=CVE-2018-19332
17 Nov 2018 — An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability that can add a new user via the admin/ajax.php?type=member&action=add URI. Se ha descubierto un problema en S-CMS v1.5. Hay una vulnerabilidad Cross-Site Request Forgery (CSRF) que puede añadir un nuevo usuario mediante el URI admin/ajax.php? • https://kingflyme.blogspot.com/2018/11/the-poc-of-s-cmscsrf.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19331
https://notcve.org/view.php?id=CVE-2018-19331
17 Nov 2018 — An issue was discovered in S-CMS v1.5. There is a SQL injection vulnerability in search.php via the keyword parameter. Se ha descubierto un problema en S-CMS v1.5. Hay una vulnerabilidad de inyección SQL en search.php mediante el parámetro keyword. • https://kingflyme.blogspot.com/2018/11/the-poc-of-s-cmssql-injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19145
https://notcve.org/view.php?id=CVE-2018-19145
09 Nov 2018 — An issue was discovered in S-CMS v1.5. There is an XSS vulnerability in search.php via the keyword parameter. Se ha descubierto un problema en S-CMS v1.5. Hay una vulnerabilidad Cross-Site Scripting (XSS) en search.php mediante el parámetro keyword. • https://kingflyme.blogspot.com/2018/11/the-poc-of-s-cmsxss.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18887
https://notcve.org/view.php?id=CVE-2018-18887
01 Nov 2018 — S-CMS PHP 1.0 has SQL injection in member/member_news.php via the type parameter (aka the $N_type field). S-CMS PHP 1.0 tiene una inyección SQL en member/member_news.php mediante el parámetro type (también conocido como campo $N_type). • http://www.iwantacve.cn/index.php/archives/75 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18427
https://notcve.org/view.php?id=CVE-2018-18427
17 Oct 2018 — s-cms 3.0 allows SQL Injection via the member/post.php 0_id parameter or the POST data to member/member_login.php. s-cms 3.0 permite la inyección SQL mediante el parámetro 0_id en member/post.php o los datos POST en member/member_login.php. • http://www.ttk7.cn/post-92.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •