icms

iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.

Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the “do_del()” method of the component “database.admincp.php”.

An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users’ articles via the public/api.php?app=user URI.

idreamsoft iCMS 7.0.15 allows remote attackers to cause a denial of service (resource consumption) via a query for many comments, as demonstrated by the admincp.php?app=comment&perpage= substring followed by a large positive integer.

An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the ‘upload spider project scheme’ feature via a two-dimensional payload.