Cszcms Csz Cms vulnerabilities
28 known vulnerabilities affecting cszcms/csz_cms.
Total CVEs
28
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH2MEDIUM16
Vulnerabilities
Page 1 of 2
CVE-2019-13086P2CRITICALCVSS 9.8≤ 1.2.22019-06-30
CVE-2019-13086 [CRITICAL] CWE-89 CVE-2019-13086: core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by send
core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter.
nvd
CVE-2021-43701P3MEDIUMCVSS 6.5PoCv1.2.92022-03-29
CVE-2021-43701 [MEDIUM] CWE-89 CVE-2021-43701: CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/
CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/export/getcsv/article_db, via the fieldS[] and orderby parameters.
nvd
CVE-2024-25414P3CRITICALCVSS 9.8v1.3.02024-02-16
CVE-2024-25414 [CRITICAL] CWE-434 CVE-2024-25414: An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execu
An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file.
nvd
CVE-2019-15524P3CRITICALCVSS 9.8v1.2.32019-08-26
CVE-2019-15524 [CRITICAL] CWE-434 CVE-2019-15524: CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in t
CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI.
nvd
CVE-2024-58307P3HIGHCVSS 8.8v1.3.02025-12-11
CVE-2024-58307 [HIGH] CWE-89 CVE-2024-58307: CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality
CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information.
nvd
CVE-2023-38910P4MEDIUMCVSS 6.1PoCv1.3.02023-08-18
CVE-2023-38910 [MEDIUM] CWE-79 CVE-2023-38910: CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitra
CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.
nvd
CVE-2022-27161P3CRITICALCVSS 9.8v1.2.22022-04-12
CVE-2022-27161 [CRITICAL] CWE-89 CVE-2022-27161: Csz Cms 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_viewUsers
Csz Cms 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_viewUsers
nvd
CVE-2022-27163P3CRITICALCVSS 9.8v1.2.22022-04-12
CVE-2022-27163 [CRITICAL] CWE-89 CVE-2022-27163: CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_editUser
CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_editUser
nvd
CVE-2022-27164P3CRITICALCVSS 9.8v1.2.22022-04-12
CVE-2022-27164 [CRITICAL] CWE-89 CVE-2022-27164: CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_viewUsers
CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_viewUsers
nvd
CVE-2022-27165P3CRITICALCVSS 9.8v1.2.22022-04-12
CVE-2022-27165 [CRITICAL] CWE-89 CVE-2022-27165: CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Plugin_manager_setstatus
CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Plugin_manager_setstatus
nvd
CVE-2022-27162P3CRITICALCVSS 9.8v1.2.22022-04-12
CVE-2022-27162 [CRITICAL] CWE-89 CVE-2022-27162: CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_editUser
CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_editUser
nvd
CVE-2023-38911P4MEDIUMCVSS 5.4PoCv1.3.02023-08-18
CVE-2023-38911 [MEDIUM] CWE-79 CVE-2023-38911: A Cross-Site Scripting (XSS) vulnerability in CSZ CMS 1.3.0 allows attackers to execute arbitrary co
A Cross-Site Scripting (XSS) vulnerability in CSZ CMS 1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Gallery parameter in the YouTube URL fields.
nvd
CVE-2021-37144P3CRITICALCVSS 9.1v1.2.92021-07-30
CVE-2021-37144 [CRITICAL] CWE-706 CVE-2021-37144: CSZ CMS 1.2.9 is vulnerable to Arbitrary File Deletion. This occurs in PHP when the unlink() functio
CSZ CMS 1.2.9 is vulnerable to Arbitrary File Deletion. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization.
nvd
CVE-2020-19786P3HIGHCVSS 8.8v1.2.22023-03-23
CVE-2020-19786 [HIGH] CWE-434 CVE-2020-19786: File upload vulnerability in CSKaza CSZ CMS v.1.2.2 fixed in v1.2.4 allows attacker to execute aritr
File upload vulnerability in CSKaza CSZ CMS v.1.2.2 fixed in v1.2.4 allows attacker to execute aritrary commands and code via crafted PHP file.
nvd
CVE-2020-21250P3CRITICALCVSS 9.8v1.2.42021-10-27
CVE-2020-21250 [CRITICAL] CWE-89 CVE-2020-21250: CSZ CMS v1.2.4 was discovered to contain an arbitrary file upload vulnerability in the component /co
CSZ CMS v1.2.4 was discovered to contain an arbitrary file upload vulnerability in the component /core/MY_Security.php.
nvd
CVE-2025-29084P3MEDIUMCVSS 6.5v1.3.02025-09-23
CVE-2025-29084 [MEDIUM] CWE-89 CVE-2025-29084: SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code vi
SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Upgrade.php file.
nvd
CVE-2025-29083P3MEDIUMCVSS 6.5v1.3.02025-09-23
CVE-2025-29083 [MEDIUM] CWE-77 CVE-2025-29083: SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code vi
SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Plugin_Manager.php file.
nvd
CVE-2025-63608P3MEDIUMCVSS 5.4≤ 1.3.02025-10-30
CVE-2025-63608 [MEDIUM] CWE-89 CVE-2025-63608: A SQL injection vulnerability exists in CSZ-CMS <=1.3.0 in the Form Builder view functionality. The
A SQL injection vulnerability exists in CSZ-CMS <=1.3.0 in the Form Builder view functionality. The vulnerability is located in the field parameter of the form viewing feature, allowing authenticated administrators to execute arbitrary SQL queries.
nvd
CVE-2021-47737P4MEDIUMCVSS 5.4v1.2.72025-12-23
CVE-2021-47737 [MEDIUM] CWE-79 CVE-2021-47737: CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert mal
CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks.
nvd
CVE-2024-27734P4MEDIUMCVSS 6.1v1.3.02024-03-01
CVE-2024-27734 [MEDIUM] CWE-79 CVE-2024-27734: A Cross Site Scripting vulnerability in CSZ CMS v.1.3.0 allows an attacker to execute arbitrary code
A Cross Site Scripting vulnerability in CSZ CMS v.1.3.0 allows an attacker to execute arbitrary code via a crafted script to the Site Name fields of the Site Settings component.
nvd
1 / 2Next →