Opensolution Quick.Cms vulnerabilities
18 known vulnerabilities affecting opensolution/quick.cms.
Total CVEs
18
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM14
Vulnerabilities
Page 1 of 1
CVE-2020-35754P3HIGHCVSS 7.2PoCfixed in 6.72021-01-28
CVE-2020-35754 [HIGH] CWE-94 CVE-2020-35754: OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code inject
OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab.
nvd
CVE-2024-58308P2CRITICALCVSS 9.8v6.72025-12-11
CVE-2024-58308 [CRITICAL] CWE-89 CVE-2024-58308: Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass
Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ' or '1'='1 to gain unauthorized administrative access to the system.
nvd
CVE-2025-9982P3HIGHCVSS 7.5v6.82025-11-14
CVE-2025-9982 [HIGH] CWE-256 CVE-2025-9982: A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a
A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially leading to privilege escalation.
The vendor was notified early about this vulne
nvd
CVE-2026-11860P3HIGHCVSS 7.5≤ 6.82026-06-15
CVE-2026-11860 [HIGH] CWE-94 CVE-2026-11860: Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (
nvd
CVE-2025-54542P4MEDIUMCVSS 5.5v6.82025-08-28
CVE-2025-54542 [MEDIUM] CWE-598 CVE-2025-54542: QuickCMS sends password and login via GET Request. This allows a local attacker with access to the v
QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested a
nvd
CVE-2025-55175P4MEDIUMCVSS 6.1v6.82025-08-28
CVE-2025-55175 [MEDIUM] CWE-79 CVE-2025-55175: QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A ma
QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vu
nvd
CVE-2025-54540P4MEDIUMCVSS 6.1v6.82025-08-28
CVE-2025-54540 [MEDIUM] CWE-79 CVE-2025-54540: QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malici
QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulner
nvd
CVE-2021-47981P4MEDIUMCVSS 5.4v6.72026-05-16
CVE-2021-47981 [MEDIUM] CWE-79 CVE-2021-47981: Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenti
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form endpoint to execute arbitrary JavaScript in victim browsers when the form i
nvd
CVE-2009-4121P4MEDIUMCVSS 6.8v2.42009-12-01
CVE-2009-4121 [MEDIUM] CWE-352 CVE-2009-4121: Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.CMS 2.4 and Quick.CMS.Lite 2.4 a
Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.CMS 2.4 and Quick.CMS.Lite 2.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete web pages via a p-delete action to admin.php, and possibly (2) delete products or (3) delete orders via unspecified vectors. NOTE: some of these details
nvd
CVE-2025-54544P4MEDIUMCVSS 4.8v6.82025-08-28
CVE-2025-54544 [MEDIUM] CWE-79 CVE-2025-54544: QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionali
QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early
nvd
CVE-2025-54543P4MEDIUMCVSS 4.8v6.82025-08-28
CVE-2025-54543 [MEDIUM] CWE-79 CVE-2025-54543: QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality
QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early ab
nvd
CVE-2025-9981P4MEDIUMCVSS 4.8v6.82025-10-23
CVE-2025-9981 [MEDIUM] CWE-79 CVE-2025-9981: QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicio
QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early about this vulnerability,
nvd
CVE-2025-10018P4MEDIUMCVSS 4.8v6.82025-11-14
CVE-2025-10018 [MEDIUM] CWE-79 CVE-2025-10018: QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Maliciou
QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early about this vulnerability
nvd
CVE-2025-54172P4MEDIUMCVSS 4.8v6.82025-08-20
CVE-2025-54172 [MEDIUM] CWE-79 CVE-2025-54172: QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious att
QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. Regular admin user is not able to inject any JS scripts into the page.
The vendor was notified early about this vulne
nvd
CVE-2025-9980P4MEDIUMCVSS 4.8v6.82025-10-23
CVE-2025-9980 [MEDIUM] CWE-79 CVE-2025-9980: QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious a
QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early about this vulner
nvd
CVE-2025-54174P4MEDIUMCVSS 4.3v6.82025-08-20
CVE-2025-54174 [MEDIUM] CWE-352 CVE-2025-54174: QuickCMS is vulnerable to Cross-Site Request Forgery in article creation functionality. Malicious at
QuickCMS is vulnerable to Cross-Site Request Forgery in article creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious article with content defined by the attacker.
The vendor was notified early about this vulnerability, but didn't respond wi
nvd
CVE-2025-54541P4MEDIUMCVSS 4.3v6.82025-08-28
CVE-2025-54541 [MEDIUM] CWE-352 CVE-2025-54541: QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attac
QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable ver
nvd
CVE-2012-3833P4MEDIUMCVSS 4.3v4.02012-07-03
CVE-2012-3833 [MEDIUM] CWE-79 CVE-2012-3833: Cross-site scripting (XSS) vulnerability in the default index page in admin/ in Quick.CMS 4.0 allows
Cross-site scripting (XSS) vulnerability in the default index page in admin/ in Quick.CMS 4.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter.
nvd