Impresscms

impresscms

Vendor: Impresscms • 21 CVEs

CVEs (21)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-25703 1Impresscms 1Impresscms Apr 17, 2026 Apr 12, 2026 7.1 HIGH· v4 8.8 HIGH· v3 N/A· v2 ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requ...Show more ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.Show less
CVE-2022-50912 1Impresscms 1Impresscms Feb 3, 2026 Jan 13, 2026 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file...Show more ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server.Show less
CVE-2023-37785 1Impresscms 1Impresscms Nov 21, 2024 Jul 13, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) vulnerability in ImpressCMS v1.4.5 and before allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the smile_code parameter of the component /editprof...Show more A cross-site scripting (XSS) vulnerability in ImpressCMS v1.4.5 and before allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the smile_code parameter of the component /editprofile.php.Show less
CVE-2022-26986 1Impresscms 1Impresscms Nov 21, 2024 Apr 5, 2022 N/A· v4 7.2 HIGH· v3 8.5 HIGH· v2 SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the applicat...Show more SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.Show less
CVE-2021-26601 1Impresscms 1Impresscms Nov 21, 2024 Mar 28, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 ImpressCMS before 1.4.3 allows libraries/image-editor/image-edit.php image_temp Directory Traversal.
CVE-2021-26600 1Impresscms 1Impresscms Nov 21, 2024 Mar 28, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ImpressCMS before 1.4.3 has plugins/preloads/autologin.php type confusion with resultant Authentication Bypass (!= instead of !==).
CVE-2021-26599 1Impresscms 1Impresscms Nov 21, 2024 Mar 28, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
CVE-2021-26598 1Impresscms 1Impresscms Nov 21, 2024 Mar 28, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token).
CVE-2022-24977 1Impresscms 1Impresscms Nov 21, 2024 Feb 14, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ImpressCMS before 1.4.2 allows unauthenticated remote code execution via ...../// directory traversal in origName or imageName, leading to unsafe interaction with the CKEditor processImage.php script. The payload may be...Show more ImpressCMS before 1.4.2 allows unauthenticated remote code execution via ...../// directory traversal in origName or imageName, leading to unsafe interaction with the CKEditor processImage.php script. The payload may be placed in PHP_SESSION_UPLOAD_PROGRESS when the PHP installation supports upload_progress.Show less
CVE-2021-28088 1Impresscms 1Impresscms Nov 21, 2024 Mar 11, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) in modules/content/admin/content.php in ImpressCMS profile 1.4.2 allows remote attackers to inject arbitrary web script or HTML parameters through the "Display Name" field.
CVE-2020-17551 1Impresscms 1Impresscms Nov 21, 2024 Oct 7, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which may result in arbitrary remote code execution.
CVE-2018-13983 1Impresscms 1Impresscms Nov 21, 2024 May 6, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 ImpressCMS 1.3.10 has XSS via the PATH_INFO to htdocs/install/index.php, htdocs/install/page_langselect.php, or htdocs/install/page_modcheck.php.
CVE-2014-1836 1Impresscms 1Impresscms May 6, 2026 Jul 1, 2015 N/A· v4 N/A· v3 6.4 MEDIUM· v2 Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a canc...Show more Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.Show less
CVE-2014-4036 1Impresscms 1Impresscms May 6, 2026 Jun 11, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in modules/system/admin.php in ImpressCMS 1.3.6.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a listimg action.
CVE-2012-0987 1Impresscms 1Impresscms Apr 29, 2026 Oct 6, 2012 N/A· v4 N/A· v3 6.0 MEDIUM· v2 Directory traversal vulnerability in edituser.php in ImpressCMS 1.2.x before 1.2.7 Final and 1.3.x before 1.3.1 Final allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in t...Show more Directory traversal vulnerability in edituser.php in ImpressCMS 1.2.x before 1.2.7 Final and 1.3.x before 1.3.1 Final allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the icmsConfigPlugins[sanitizer_plugins][] parameter.Show less
CVE-2012-0986 1Impresscms 1Impresscms Apr 29, 2026 Oct 6, 2012 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in ImpressCMS 1.2.x before 1.2.7 Final and 1.3.x before 1.3.1 Final allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) notifications...Show more Multiple cross-site scripting (XSS) vulnerabilities in ImpressCMS 1.2.x before 1.2.7 Final and 1.3.x before 1.3.1 Final allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) notifications.php, (2) modules/system/admin/images/browser.php, and (3) modules/content/admin/content.php.Show less
CVE-2010-4616 1Impresscms 1Impresscms Apr 29, 2026 Dec 29, 2010 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in modules/content/admin/content.php in ImpressCMS 1.2.3 Final, and possibly other versions before 1.2.4, allows remote attackers to inject arbitrary web script or HTML via the qu...Show more Cross-site scripting (XSS) vulnerability in modules/content/admin/content.php in ImpressCMS 1.2.3 Final, and possibly other versions before 1.2.4, allows remote attackers to inject arbitrary web script or HTML via the quicksearch_ContentContent parameter.Show less
CVE-2010-4271 1Impresscms 1Impresscms Apr 29, 2026 Nov 17, 2010 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in ImpressCMS before 1.2.3 RC2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-6360 1Impresscms 1Impresscms Apr 23, 2026 Mar 2, 2009 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the userranks feature in modules/system/admin.php in ImpressCMS 1.0.2 final allows remote attackers to inject arbitrary web script or HTML via the rank_title parameter. NOTE:...Show more Cross-site scripting (XSS) vulnerability in the userranks feature in modules/system/admin.php in ImpressCMS 1.0.2 final allows remote attackers to inject arbitrary web script or HTML via the rank_title parameter. NOTE: some of these details are obtained from third party information.Show less
CVE-2008-5964 1Impresscms 1Impresscms Apr 23, 2026 Jan 23, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Session fixation vulnerability in Social ImpressCMS before 1.1.1 RC1 allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.

12 Next