cbcvebase.

Gilacms Gila Cms vulnerabilities

24 known vulnerabilities affecting gilacms/gila_cms.

Total CVEs
24
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH8MEDIUM12LOW3

Vulnerabilities

Page 1 of 2
CVE-2020-5515P3HIGHCVSS 7.2PoCv1.11.82020-01-06
CVE-2020-5515 [HIGH] CWE-89 CVE-2020-5515: Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection. Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection.
nvd
CVE-2020-5514P2CRITICALCVSS 9.1v1.11.82020-01-06
CVE-2020-5514 [CRITICAL] CWE-434 CVE-2020-5514: Gila CMS 1.11.8 allows Unrestricted Upload of a File with a Dangerous Type via .phar or .phtml to th Gila CMS 1.11.8 allows Unrestricted Upload of a File with a Dangerous Type via .phar or .phtml to the lzld/thumb?src= URI.
nvd
CVE-2019-16679P3MEDIUMCVSS 4.9PoCfixed in 1.11.12019-09-21
CVE-2019-16679 [MEDIUM] CWE-22 CVE-2019-16679: Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion. Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.
nvd
CVE-2020-5513P3MEDIUMCVSS 6.8v1.11.82020-01-06
CVE-2020-5513 [MEDIUM] CWE-22 CVE-2020-5513: Gila CMS 1.11.8 allows /cm/delete?t=../ Directory Traversal. Gila CMS 1.11.8 allows /cm/delete?t=../ Directory Traversal.
nvd
CVE-2020-5512P3MEDIUMCVSS 6.8v1.11.82020-01-06
CVE-2020-5512 [MEDIUM] CWE-22 CVE-2020-5512: Gila CMS 1.11.8 allows /admin/media?path=../ Path Traversal. Gila CMS 1.11.8 allows /admin/media?path=../ Path Traversal.
nvd
CVE-2019-11456P3HIGHCVSS 8.8v1.10.12019-04-22
CVE-2019-11456 [HIGH] CWE-352 CVE-2019-11456: Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code. Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code.
nvd
CVE-2020-20726P3HIGHCVSS 8.8v1.11.42023-06-20
CVE-2020-20726 [HIGH] CWE-352 CVE-2020-20726: Cross Site Request Forgery vulnerability in Gila GilaCMS v.1.11.4 allows a remote attacker to execut Cross Site Request Forgery vulnerability in Gila GilaCMS v.1.11.4 allows a remote attacker to execute arbitrary code via the cm/update_rows/user parameter.
nvd
CVE-2020-28692P3HIGHCVSS 7.2v1.16.02020-11-16
CVE-2020-28692 [HIGH] CWE-434 CVE-2020-28692: In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the lo In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files.
nvd
CVE-2020-20692P3HIGHCVSS 7.2v1.11.42021-09-27
CVE-2020-20692 [HIGH] CWE-89 CVE-2020-20692: GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in / GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php.
nvd
CVE-2021-37777P3HIGHCVSS 7.5v2.2.02021-10-04
CVE-2021-37777 [HIGH] CWE-639 CVE-2021-37777: Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference (IDOR). Thumbnails uploaded by one Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference (IDOR). Thumbnails uploaded by one site owner are visible by another site owner just by knowing the other site name and fuzzing for picture names. This leads to sensitive information disclosure.
nvd
CVE-2020-20693P4HIGHCVSS 8.8v1.11.42021-09-27
CVE-2020-20693 [HIGH] CWE-352 CVE-2020-20693: A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts.
nvd
CVE-2019-20804P4HIGHCVSS 8.8fixed in 1.11.62020-05-21
CVE-2019-20804 [HIGH] CWE-352 CVE-2019-20804: Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromis Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account.
nvd
CVE-2024-7657P4MEDIUMCVSS 5.4v1.10.92024-08-12
CVE-2024-7657 [MEDIUM] CWE-79 CVE-2024-7657: A vulnerability classified as problematic was found in Gila CMS 1.10.9. This vulnerability affects u A vulnerability classified as problematic was found in Gila CMS 1.10.9. This vulnerability affects unknown code of the file /cm/update_rows/page?id=2 of the component HTTP POST Request Handler. The manipulation of the argument content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and m
nvd
CVE-2019-17536P4MEDIUMCVSS 4.9≤ 1.11.42019-10-13
CVE-2019-17536 [MEDIUM] CWE-434 CVE-2019-17536: Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveActio Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
nvd
CVE-2019-11515P4MEDIUMCVSS 4.9v1.10.12019-04-25
CVE-2019-11515 [MEDIUM] CWE-22 CVE-2019-11515: core/classes/db_backup.php in Gila CMS 1.10.1 allows admin/db_backup?download= absolute path travers core/classes/db_backup.php in Gila CMS 1.10.1 allows admin/db_backup?download= absolute path traversal to read arbitrary files.
nvd
CVE-2019-17535P4MEDIUMCVSS 6.1≤ 1.11.42019-10-13
CVE-2019-17535 [MEDIUM] CWE-79 CVE-2019-17535: Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
nvd
CVE-2019-20803P4MEDIUMCVSS 6.1fixed in 1.11.62020-05-21
CVE-2019-20803 [MEDIUM] CWE-79 CVE-2019-20803: Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is m Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme.
nvd
CVE-2021-39486P4MEDIUMCVSS 5.4v2.2.02021-10-04
CVE-2021-39486 [MEDIUM] CWE-79 CVE-2021-39486: A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. An attacker can use this to A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. An attacker can use this to steal cookies, passwords or to run arbitrary code on a victim's browser.
nvd
CVE-2020-26625P4LOWCVSS 3.8≤ 1.15.42024-01-02
CVE-2020-26625 [LOW] CWE-89 CVE-2020-26625: A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote at A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the 'user_id' parameter after the login portal.
nvd
CVE-2020-20523P4MEDIUMCVSS 6.1v1.11.32023-08-11
CVE-2020-20523 [MEDIUM] CWE-79 CVE-2020-20523: Cross Site Scripting (XSS) vulnerability in adm_user parameter in Gila CMS version 1.11.3, allows re Cross Site Scripting (XSS) vulnerability in adm_user parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary code during the Gila CMS installation.
nvd
Gilacms Gila Cms vulnerabilities | cvebase