CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-44977
https://notcve.org/view.php?id=CVE-2021-44977
04 Feb 2022 — In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files. En iCMS versiones anteriores a 8.0.0 incluyéndola, una vulnerabilidad de salto de directorio permite a un atacante leer archivos arbitrarios • https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%960day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44978
https://notcve.org/view.php?id=CVE-2021-44978
04 Feb 2022 — iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution. iCMS versiones anteriores a 8.0.0 incluyéndola, permite a usuarios añadir y renderizar una plantilla comtom, que presenta una vulnerabilidad SSTI que causa una ejecución de código remota • https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E5%AF%BC%E8%87%B4%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C0day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 1CVE-2020-19142
https://notcve.org/view.php?id=CVE-2020-19142
10 Dec 2020 — iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php. Los atacantes de iCMS versión 7 ejecutan comandos arbitrarios del Sistema Operativo por medio de metacaracteres de shell en el parámetro DB_PREFIX para el archivo install/install.php. • https://github.com/idreamsoft/iCMS/issues/65 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24739
https://notcve.org/view.php?id=CVE-2020-24739
10 Sep 2020 — A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. Se encontró una vulnerabilidad de tipo CSRF en iCMS versión v7.0.0, en la cuenta de administrador de eliminación en segundo plano. Cuando falta el CSRF_TOKEN y aún puede solicitarlo normalmente, se eliminarán todos los administradores, excepto el administrador inicial • https://github.com/idreamsoft/iCMS/issues/76 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16677
https://notcve.org/view.php?id=CVE-2019-16677
21 Sep 2019 — An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF. Se detectó un problema en idreamsoft iCMS versión V7.0. admincp.php?app=members&do=del permite un ataque de tipo CSRF. • https://github.com/idreamsoft/iCMS/issues/76 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8902
https://notcve.org/view.php?id=CVE-2019-8902
18 Feb 2019 — An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI. Se ha descubierto un problema en idreamsoft iCMS hasta la versión 7.0.14. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) puede eliminar los artículos del usuario mediante el URI "public/api.php? • https://github.com/idreamsoft/iCMS/issues/56 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15895
https://notcve.org/view.php?id=CVE-2018-15895
27 Aug 2018 — An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because the remote function in app/spider/spider_tools.class.php does not block DNS hostnames associated with private and reserved IP addresses, as demonstrated by 127.0.0.1 in an A record. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14858. Se ha descubierto una vulnerabilidad Server-Side Request Forgery (SSRF) en idreamsoft iCMS 7.0.11 debido a que la función remote en app/spider/spider_tools.class.php no bloquea l... • https://github.com/idreamsoft/iCMS/issues/40 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14858
https://notcve.org/view.php?id=CVE-2018-14858
02 Aug 2018 — An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 because the remote function in app/spider/spider_tools.class.php does not block private and reserved IP addresses such as 10.0.0.0/8. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14514. Se ha descubierto una vulnerabilidad Server-Side Request Forgery (SSRF) en idreamsoft iCMS en versiones anteriores a la V7.0.11 debido a que la función remote en app/spider/spider_tools.class.php no bloquea las direcciones IP ... • https://github.com/idreamsoft/iCMS/issues/33 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14415
https://notcve.org/view.php?id=CVE-2018-14415
19 Jul 2018 — An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen. Se ha descubierto un problema en idreamsoft iCMS en versiones anteriores a la 7.0.10. Existe Cross-Site Scripting (XSS) mediante el cuarto y el quinto elemento de entrada en la pantalla admincp.php? • https://github.com/idreamsoft/iCMS/issues/28 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-9923
https://notcve.org/view.php?id=CVE-2018-9923
10 Apr 2018 — An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request. Se ha descubierto un problema en idreamsoft iCMS hasta la versión 7.0.7. Existe CSRF en admincp.php, tal y como queda demostrado con la adición de un artículo mediante una petición app=articledo=saveframe=iPHP. • https://github.com/idreamsoft/iCMS/issues/17 • CWE-352: Cross-Site Request Forgery (CSRF) •