CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 4CVE-2024-3311 – Dreamer CMS ThemesController.java ZipUtils.unZipFiles path traversal
https://notcve.org/view.php?id=CVE-2024-3311
A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has been declared as critical. Affected by this vulnerability is the function ZipUtils.unZipFiles of the file controller/admin/ThemesController.java. The manipulation leads to path traversal. The attack can be launched remotely. • https://github.com/FaLLenSKiLL1/CVE-2024-33113 https://github.com/FaLLenSKiLL1/CVE-2024-33111 https://github.com/tekua/CVE-2024-33113 https://gitee.com/iteachyou/dreamer_cms/releases/tag/Latest_Stable_Release_4.1.3.1 https://gitee.com/y1336247431/poc-public/issues/I9BA5R https://vuldb.com/?ctiid.259369 https://vuldb.com/?id.259369 https://vuldb.com/?submit.303874 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2024-3118 – Dreamer CMS Attachment permission
https://notcve.org/view.php?id=CVE-2024-3118
A vulnerability, which was classified as critical, has been found in Dreamer CMS up to 4.1.3. This issue affects some unknown processing of the component Attachment Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/sweatxi/BugHub/blob/main/dreamer_Excessive_authority.pdf https://vuldb.com/?ctiid.258779 https://vuldb.com/?id.258779 https://vuldb.com/?submit.303196 • CWE-275: Permission Issues •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2354 – Dreamer CMS toEdit cross-site request forgery
https://notcve.org/view.php?id=CVE-2024-2354
A vulnerability, which was classified as problematic, was found in Dreamer CMS 4.1.3. Affected is an unknown function of the file /admin/menu/toEdit. The manipulation of the argument id leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/sweatxi/BugHub/blob/main/dreamer_cms_admin_menu_toEdit_csrf.pdf https://vuldb.com/?ctiid.256314 https://vuldb.com/?id.256314 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46886
https://notcve.org/view.php?id=CVE-2023-46886
Dreamer CMS before version 4.0.1 is vulnerable to Directory Traversal. Background template management allows arbitrary modification of the template file, allowing system sensitive files to be read. Dreamer CMS anterior a la versión 4.0.1 es vulnerable a Directory Traversal. La gestión de plantillas en segundo plano permite la modificación arbitraria del archivo de plantilla, lo que permite leer archivos confidenciales del sistema. • https://gitee.com/iteachyou/dreamer_cms/issues/I6NOFN • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46887
https://notcve.org/view.php?id=CVE-2023-46887
In Dreamer CMS before 4.0.1, the backend attachment management office has an Arbitrary File Download vulnerability. En Dreamer CMS anterior a 4.0.1, la oficina de administración de archivos adjuntos backend tiene una vulnerabilidad de descarga arbitraria de archivos. • https://gitee.com/iteachyou/dreamer_cms/issues/I6NDEZ • CWE-494: Download of Code Without Integrity Check •