S-cms ≫ S-cms

A stored cross site scripting (XSS) vulnerability in /app/form_add/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Title Entry text box.

A remote code execution (RCE) vulnerability in /1.com.php of S-CMS PHP v3.0 allows attackers to getshell via modification of a PHP file.

S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from parameter.

s-cms V3.0 has XSS in index.php?type=text via the S_id parameter.

S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter.

S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via the 4.edu.php/admin/ajax.php?type=admin&action=add&lang=0 URI, a related issue to CVE-2019-9040.

S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter.

S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin&action=add URI, a related issue to CVE-2018-19332.

SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi.php O_id parameter.

An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter.