CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-44977
https://notcve.org/view.php?id=CVE-2021-44977
04 Feb 2022 — In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files. En iCMS versiones anteriores a 8.0.0 incluyéndola, una vulnerabilidad de salto de directorio permite a un atacante leer archivos arbitrarios • https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%960day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44978
https://notcve.org/view.php?id=CVE-2021-44978
04 Feb 2022 — iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution. iCMS versiones anteriores a 8.0.0 incluyéndola, permite a usuarios añadir y renderizar una plantilla comtom, que presenta una vulnerabilidad SSTI que causa una ejecución de código remota • https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E5%AF%BC%E8%87%B4%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C0day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8902
https://notcve.org/view.php?id=CVE-2019-8902
18 Feb 2019 — An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI. Se ha descubierto un problema en idreamsoft iCMS hasta la versión 7.0.14. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) puede eliminar los artículos del usuario mediante el URI "public/api.php? • https://github.com/idreamsoft/iCMS/issues/56 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18702
https://notcve.org/view.php?id=CVE-2018-18702
27 Oct 2018 — spider.admincp.php in iCMS v7.0.11 allows SQL injection via admincp.php?app=spider&do=import_rule because the upfile content is base64 decoded, deserialized, and used for database insertion. spider.admincp.php en iCMS v7.0.11 permite una inyección SQL mediante admincp.php?app=spiderdo=import_rule debido a que el contenido de upfile está descodificado en base64, deserializado y se emplea para la inserción en la base de datos. • https://github.com/idreamsoft/iCMS/issues/42 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16320
https://notcve.org/view.php?id=CVE-2018-16320
01 Sep 2018 — idreamsoft iCMS 7.0.11 allows admincp.php?app=config Directory Traversal, resulting in execution of arbitrary PHP code from a ZIP file. idreamsoft iCMS 7.0.11 permite un salto de directorio en admincp.php?app=config, lo que resulta en la ejecución de código PHParbitrario desde un archivo ZIP. • https://github.com/idreamsoft/iCMS/issues/41 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16314
https://notcve.org/view.php?id=CVE-2018-16314
01 Sep 2018 — An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header. Se ha descubierto un problema en admincp.php en idreamsoft iCMS 7.0.11. Al verificar CSRF_TOKEN, si CSRF_TOKEN no existe, solo se valida la cabecera Referer, lo que puede omitirse mediante una subcadena admincp.php en esta cabecera. • https://github.com/idreamsoft/iCMS/issues/35 • CWE-352: Cross-Site Request Forgery (CSRF) •