Idreamsoft: >> Icms >> 7.0.0 Security Vulnerabilities
A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
4.7
EPSS Score
0.001
Published
2025-12-31
In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-02-04
iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution.
CVSS Score
9.8
EPSS Score
0.027
Published
2022-02-04
iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-12-10
A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted.
CVSS Score
6.5
EPSS Score
0.001
Published
2020-09-10
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-09-21
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.
CVSS Score
5.7
EPSS Score
0.001
Published
2019-02-18