Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
A vulnerability was found in S-CMS 5.0 Build 20220328. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Contact Information Page. The manipulation of the argument Make a Call leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-215197 was assigned to this vulnerability.
AnalysisAI
A vulnerability was found in S-CMS 5.0 Build 20220328. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-707. A vulnerability was found in S-CMS 5.0 Build 20220328. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Contact Information Page. The manipulation of the argument Make a Call leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-215197 was assigned to this vulnerability. Affected products include: S-Cms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter. Rated critical severity (CVSS 9.8), t
SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi.php O_id parameter. Rated critical severity (CVSS
An issue was discovered in S-CMS 1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no
An issue was discovered in S-CMS 1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no
An issue was discovered in S-CMS 3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no
S-CMS PHP 1.0 has SQL injection in member/member_news.php via the type parameter (aka the $N_type field). Rated critical
s-cms 3.0 allows SQL Injection via the member/post.php 0_id parameter or the POST data to member/member_login.php. Rated
S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via the 4.edu.php/admin/ajax.php?type=admin&action=add&l
An issue was discovered in S-CMS v1.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no au
s-cms 3.0 allows remote attackers to execute arbitrary PHP code by placing this code in a crafted User-agent Disallow va
An issue was discovered in S-CMS 1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no aut
S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI. Rated hig
Same weakness CWE-707 – Improper Neutralization
View allShare
External POC / Exploit Code
Leaving vuln.today