Impresscms vulnerabilities
22 known vulnerabilities affecting impresscms/impresscms.
Total CVEs
22
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH5MEDIUM12
Vulnerabilities
Page 1 of 2
CVE-2021-26599P2CRITICALCVSS 9.8PoCfixed in 1.4.42022-03-28
CVE-2021-26599 [CRITICAL] CWE-89 CVE-2021-26599: ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
ghsanvdosv
CVE-2022-26986P3HIGHCVSS 7.2PoC≤ 1.4.32022-04-05
CVE-2022-26986 [HIGH] CWE-89 CVE-2022-26986: SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in uni
SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.
ghsanvdosv
CVE-2021-26598P3MEDIUMCVSS 5.3PoCfixed in 1.4.32022-03-28
CVE-2021-26598 [MEDIUM] CWE-287 CVE-2021-26598: ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by
ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token).
ghsanvdosv
CVE-2022-24977P2CRITICALCVSS 9.8fixed in 1.4.22022-02-14
CVE-2022-24977 [CRITICAL] CWE-22 CVE-2022-24977: ImpressCMS before 1.4.2 allows unauthenticated remote code execution via ...../// directory traversa
ImpressCMS before 1.4.2 allows unauthenticated remote code execution via ...../// directory traversal in origName or imageName, leading to unsafe interaction with the CKEditor processImage.php script. The payload may be placed in PHP_SESSION_UPLOAD_PROGRESS when the PHP installation supports upload_progress.
ghsanvdosv
CVE-2021-26600P2CRITICALCVSS 9.8fixed in 1.4.32022-03-28
CVE-2021-26600 [CRITICAL] CWE-843 CVE-2021-26600: ImpressCMS before 1.4.3 has plugins/preloads/autologin.php type confusion with resultant Authenticat
ImpressCMS before 1.4.3 has plugins/preloads/autologin.php type confusion with resultant Authentication Bypass (!= instead of !==).
ghsanvdosv
CVE-2022-50912P2CRITICALCVSS 9.8v1.4.42026-01-13
CVE-2022-50912 [CRITICAL] CWE-434 CVE-2022-50912: ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows a
ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server.
nvd
CVE-2014-1836P3MEDIUMCVSS 6.4PoC≤ 1.3.52015-07-01
CVE-2014-1836 [MEDIUM] CWE-22 CVE-2014-1836: Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.
ghsanvdosv
CVE-2021-47938P2HIGHCVSS 8.8v1.4.22026-05-10
CVE-2021-47938 [HIGH] CWE-94 CVE-2021-47938: ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative inte
ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod with crafted sat_code con
nvd
CVE-2019-25703P3HIGHCVSS 8.8v1.3.112026-04-12
CVE-2019-25703 [HIGH] CWE-89 CVE-2019-25703: ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated
ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.
nvd
CVE-2021-26601P3HIGHCVSS 8.1fixed in 1.4.32022-03-28
CVE-2021-26601 [HIGH] CWE-22 CVE-2021-26601: ImpressCMS before 1.4.3 allows libraries/image-editor/image-edit.php image_temp Directory Traversal.
ImpressCMS before 1.4.3 allows libraries/image-editor/image-edit.php image_temp Directory Traversal.
ghsanvdosv
CVE-2010-4271P3HIGHCVSS 7.5≤ 1.2.3v1.0+7 more2010-11-17
CVE-2010-4271 [HIGH] CWE-89 CVE-2010-4271: SQL injection vulnerability in ImpressCMS before 1.2.3 RC2 allows remote attackers to execute arbitr
SQL injection vulnerability in ImpressCMS before 1.2.3 RC2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2008-3453P4CRITICALCVSS 10.0v1.02008-08-04
CVE-2008-3453 [CRITICAL] CVE-2008-3453: Multiple unspecified vulnerabilities in ImpressCMS 1.0 have unknown impact and attack vectors, relat
Multiple unspecified vulnerabilities in ImpressCMS 1.0 have unknown impact and attack vectors, related to modules/admin.php and "a few files."
nvd
CVE-2012-0987P4MEDIUMCVSS 6.0v1.2v1.2.1+5 more2012-10-06
CVE-2012-0987 [MEDIUM] CWE-22 CVE-2012-0987: Directory traversal vulnerability in edituser.php in ImpressCMS 1.2.x before 1.2.7 Final and 1.3.x b
Directory traversal vulnerability in edituser.php in ImpressCMS 1.2.x before 1.2.7 Final and 1.3.x before 1.3.1 Final allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the icmsConfigPlugins[sanitizer_plugins][] parameter.
nvd
CVE-2008-5964P4MEDIUMCVSS 6.8≤ 1.0.3v1.0+3 more2009-01-23
CVE-2008-5964 [MEDIUM] CWE-287 CVE-2008-5964: Session fixation vulnerability in Social ImpressCMS before 1.1.1 RC1 allows remote attackers to hija
Session fixation vulnerability in Social ImpressCMS before 1.1.1 RC1 allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
nvd
CVE-2018-13983P4MEDIUMCVSS 6.1v1.3.102019-05-06
CVE-2018-13983 [MEDIUM] CWE-79 CVE-2018-13983: ImpressCMS 1.3.10 has XSS via the PATH_INFO to htdocs/install/index.php, htdocs/install/page_langsel
ImpressCMS 1.3.10 has XSS via the PATH_INFO to htdocs/install/index.php, htdocs/install/page_langselect.php, or htdocs/install/page_modcheck.php.
ghsanvdosv
CVE-2020-17551P4MEDIUMCVSS 4.8v1.4.02020-10-07
CVE-2020-17551 [MEDIUM] CWE-79 CVE-2020-17551: ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which may result in arbitrary remote
ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which may result in arbitrary remote code execution.
ghsanvdosv
CVE-2021-28088P4MEDIUMCVSS 5.4v1.4.22021-03-11
CVE-2021-28088 [MEDIUM] CWE-79 CVE-2021-28088: Cross-site scripting (XSS) in modules/content/admin/content.php in ImpressCMS profile 1.4.2 allows r
Cross-site scripting (XSS) in modules/content/admin/content.php in ImpressCMS profile 1.4.2 allows remote attackers to inject arbitrary web script or HTML parameters through the "Display Name" field.
ghsanvdosv
CVE-2012-0986P4MEDIUMCVSS 4.3v1.2v1.2.1+5 more2012-10-06
CVE-2012-0986 [MEDIUM] CWE-79 CVE-2012-0986: Multiple cross-site scripting (XSS) vulnerabilities in ImpressCMS 1.2.x before 1.2.7 Final and 1.3.x
Multiple cross-site scripting (XSS) vulnerabilities in ImpressCMS 1.2.x before 1.2.7 Final and 1.3.x before 1.3.1 Final allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) notifications.php, (2) modules/system/admin/images/browser.php, and (3) modules/content/admin/content.php.
nvd
CVE-2023-37785P4MEDIUMCVSS 4.8≤ 1.4.52023-07-13
CVE-2023-37785 [MEDIUM] CWE-79 CVE-2023-37785: A cross-site scripting (XSS) vulnerability in ImpressCMS v1.4.5 and before allows attackers to execu
A cross-site scripting (XSS) vulnerability in ImpressCMS v1.4.5 and before allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the smile_code parameter of the component /editprofile.php.
ghsanvdosv
CVE-2014-4036P4MEDIUMCVSS 4.3v1.3.6.12014-06-11
CVE-2014-4036 [MEDIUM] CWE-79 CVE-2014-4036: Cross-site scripting (XSS) vulnerability in modules/system/admin.php in ImpressCMS 1.3.6.1 allows re
Cross-site scripting (XSS) vulnerability in modules/system/admin.php in ImpressCMS 1.3.6.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a listimg action.
ghsanvdosv
1 / 2Next →