Easycms

easycms

12 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (12)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-3786 1Easycms 1Easycms Apr 29, 2026 Mar 8, 2026 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A security flaw has been discovered in EasyCMS up to 1.6. The impacted element is an unknown function of the file /RbacuserAction.class.php of the component Request Parameter Handler. The manipulation of the argument _or...Show more A security flaw has been discovered in EasyCMS up to 1.6. The impacted element is an unknown function of the file /RbacuserAction.class.php of the component Request Parameter Handler. The manipulation of the argument _order results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2026-3785 1Easycms 1Easycms Apr 29, 2026 Mar 8, 2026 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was identified in EasyCMS up to 1.6. The affected element is an unknown function of the file /RbacnodeAction.class.php of the component Request Parameter Handler. The manipulation of the argument _order l...Show more A vulnerability was identified in EasyCMS up to 1.6. The affected element is an unknown function of the file /RbacnodeAction.class.php of the component Request Parameter Handler. The manipulation of the argument _order leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2026-1105 1Easycms 1Easycms Apr 29, 2026 Jan 18, 2026 5.5 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed...Show more A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2022-23358 1Easycms 1Easycms Nov 21, 2024 Feb 16, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In the background, search terms provided by the user were not sanitized and were used directly to construct a SQL statement.
CVE-2020-24271 1Easycms 1Easycms Nov 21, 2024 Feb 1, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=*&password=*.
CVE-2019-6294 1Easycms 1Easycms Nov 21, 2024 Jan 15, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in EasyCMS 1.5. There is CSRF via the index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent URI.
CVE-2018-17113 1Easycms 1Easycms Nov 21, 2024 Sep 17, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploadify.swf in EasyCMS 1.5 has XSS via the uploadifyID or movieName parameter, a related issue to CVE-2018-9173.
CVE-2018-16773 1Easycms 1Easycms Nov 21, 2024 Sep 10, 2018 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 EasyCMS 1.5 allows XSS via the index.php?s=/admin/fields/update/navTabId/listfields/callbackType/closeCurrent content field.
CVE-2018-16759 1Easycms 1Easycms Nov 21, 2024 Sep 9, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The removeXSS function in App/Common/common.php (called from App/Modules/Index/Action/SearchAction.class.php) in EasyCMS v1.4 allows XSS via an onhashchange event.
CVE-2018-16345 1Easycms 1Easycms Nov 21, 2024 Sep 2, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in EasyCMS 1.5. There is a CSRF vulnerability that can update the admin password via index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent.
CVE-2018-12971 1Easycms 1Easycms Nov 21, 2024 Jun 29, 2018 N/A· v4 6.5 MEDIUM· v3 5.8 MEDIUM· v2 EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to delete users.
CVE-2018-10374 1Easycms 1Easycms Nov 21, 2024 Apr 25, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 EasyCMS 1.3 has XSS via the s POST parameter (aka a search box value) in an index.php?s=/index/search/index.html request.