Vulnerabilities (CVE)

Filtered by vendor Chshcms Subscribe
Filtered by product Cscms
Total 21 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-30898 1 Chshcms 1 Cscms 2022-06-17 4.3 MEDIUM 6.5 MEDIUM
A Cross-site request forgery (CSRF) vulnerability in Cscms music portal system v4.2 allows remote attackers to change the administrator's username and password.
CVE-2022-28552 1 Chshcms 1 Cscms 2022-05-12 6.5 MEDIUM 8.8 HIGH
Cscms 4.1 is vulnerable to SQL Injection. Log into the background, open the song module, create a new song, delete it to the recycle bin, and SQL injection security problems will occur when emptying the recycle bin.
CVE-2022-27369 1 Chshcms 1 Cscms 2022-04-22 6.5 MEDIUM 7.2 HIGH
Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component news_News.php_hy.
CVE-2022-27365 1 Chshcms 1 Cscms 2022-04-21 6.5 MEDIUM 7.2 HIGH
Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Dance.php_del.
CVE-2022-27366 1 Chshcms 1 Cscms 2022-04-21 6.5 MEDIUM 7.2 HIGH
Cscms Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the component dance_Dance.php_hy.
CVE-2022-27367 1 Chshcms 1 Cscms 2022-04-21 6.5 MEDIUM 7.2 HIGH
Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Topic.php_del.
CVE-2022-27368 1 Chshcms 1 Cscms 2022-04-21 6.5 MEDIUM 7.2 HIGH
Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Lists.php_zhuan.
CVE-2022-27090 1 Chshcms 1 Cscms 2022-03-29 4.9 MEDIUM 5.4 MEDIUM
Cscms Music Portal System v4.2 was discovered to contain a redirection vulnerability via the backurl parameter.
CVE-2020-28103 1 Chshcms 1 Cscms 2022-01-14 7.5 HIGH 9.8 CRITICAL
cscms v4.1 allows for SQL injection via the "page_del" function.
CVE-2020-28102 1 Chshcms 1 Cscms 2022-01-14 7.5 HIGH 9.8 CRITICAL
cscms v4.1 allows for SQL injection via the "js_del" function.
CVE-2020-21238 1 Chshcms 1 Cscms 2022-01-10 5.0 MEDIUM 9.8 CRITICAL
An issue in the user login box of CSCMS v4.0 allows attackers to hijack user accounts via brute force attacks.
CVE-2020-22848 1 Chshcms 1 Cscms 2021-09-07 7.5 HIGH 9.8 CRITICAL
A remote code execution (RCE) vulnerability in the \Playsong.php component of cscms v4.1 allows attackers to execute arbitrary commands.
CVE-2019-9598 1 Chshcms 1 Cscms 2019-03-08 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in Cscms 4.1.0. There is an admin.php/pay CSRF vulnerability that can change the payment account to redirect funds.
CVE-2019-6779 1 Chshcms 1 Cscms 2019-01-25 5.8 MEDIUM 8.1 HIGH
Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links.
CVE-2018-17126 1 Chshcms 1 Cscms 2018-11-19 7.5 HIGH 9.8 CRITICAL
CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php.
CVE-2018-17125 1 Chshcms 1 Cscms 2018-11-19 6.4 MEDIUM 7.5 HIGH
CScms 4.1 allows arbitrary directory deletion via a dir=..\\ substring to plugins\sys\admin\Plugins.php.
CVE-2018-16731 1 Chshcms 1 Cscms 2018-10-30 7.5 HIGH 9.8 CRITICAL
CScms 4.1 allows arbitrary file upload by (for example) adding the php extension to the default filetype list (gif, jpg, png), and then providing a .php pathname within fileurl JSON data.
CVE-2018-16337 1 Chshcms 1 Cscms 2018-10-25 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability that can modify a website's basic configuration via upload/admin.php/setting/save.
CVE-2018-16448 1 Chshcms 1 Cscms 2018-10-25 6.8 MEDIUM 8.8 HIGH
Cscms 4 allows CSRF for creating a member via upload/admin.php/user/save, authenticating vip members via upload/admin.php/user/init/tid and upload/admin.php/user/init/rzid, and creating a super administrator and web editor via upload/admin.php/sys/save.
CVE-2018-16730 1 Chshcms 1 Cscms 2018-10-19 4.3 MEDIUM 6.1 MEDIUM
\upload\plugins\sys\Install.php in CScms 4.1 has XSS via the site name.