Sscms
Monthly
SQL injection in SSCMS v7.4.0 enables high-privileged attackers to execute arbitrary SQL statements via the stl:sqlContent tag's queryString attribute. Attackers with administrative access can craft encrypted payloads to the /api/stl/actions/dynamic endpoint, bypassing parameterization controls to achieve database compromise, authentication bypass, or complete data exfiltration. EPSS data not available; no confirmed active exploitation (CISA KEV negative); public exploit code availability unknown but detailed technical advisory published by VulnCheck increases weaponization risk.
Reflected cross-site scripting in SSCMS v7.4.0 allows authenticated attackers to inject arbitrary JavaScript through crafted STL template payloads in the /api/stl/actions/dynamic endpoint. The vulnerability arises from improper output encoding when decrypted STL templates are returned in JSON responses, enabling session hijacking, credential theft via phishing, and unauthorized user actions. User interaction is required to trigger the payload, limiting but not eliminating real-world risk.
SSCMS 4.7.0's layerImage endpoint allows authenticated attackers to manipulate the filePaths parameter in LayerImageController.Submit.cs, enabling path traversal attacks that can modify or delete arbitrary files on the server. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in SSCMS 7.4.0 via the tableHandWrite parameter in SitesAddController.Submit.cs allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.
A path traversal vulnerability exists in SSCMS versions up to 7.4.0 within the PathUtils.RemoveParentPath function of the plugin download API endpoint (/api/admin/plugins/install/actions/download). An authenticated administrator with high privileges can manipulate the path argument to traverse the file system and access or modify files outside the intended directory, potentially leading to information disclosure or system compromise. The vulnerability has public proof-of-concept code available, though the CVSS score of 3.8 is relatively low due to the requirement for authenticated administrative access, making this a lower-priority but still exploitable issue in environments where admin credentials may be compromised.
An issue in the component /stl/actions/download?filePath of SSCMS v7.3.1 allows attackers to execute a directory traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in SSCMS v7.4.0 enables high-privileged attackers to execute arbitrary SQL statements via the stl:sqlContent tag's queryString attribute. Attackers with administrative access can craft encrypted payloads to the /api/stl/actions/dynamic endpoint, bypassing parameterization controls to achieve database compromise, authentication bypass, or complete data exfiltration. EPSS data not available; no confirmed active exploitation (CISA KEV negative); public exploit code availability unknown but detailed technical advisory published by VulnCheck increases weaponization risk.
Reflected cross-site scripting in SSCMS v7.4.0 allows authenticated attackers to inject arbitrary JavaScript through crafted STL template payloads in the /api/stl/actions/dynamic endpoint. The vulnerability arises from improper output encoding when decrypted STL templates are returned in JSON responses, enabling session hijacking, credential theft via phishing, and unauthorized user actions. User interaction is required to trigger the payload, limiting but not eliminating real-world risk.
SSCMS 4.7.0's layerImage endpoint allows authenticated attackers to manipulate the filePaths parameter in LayerImageController.Submit.cs, enabling path traversal attacks that can modify or delete arbitrary files on the server. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in SSCMS 7.4.0 via the tableHandWrite parameter in SitesAddController.Submit.cs allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.
A path traversal vulnerability exists in SSCMS versions up to 7.4.0 within the PathUtils.RemoveParentPath function of the plugin download API endpoint (/api/admin/plugins/install/actions/download). An authenticated administrator with high privileges can manipulate the path argument to traverse the file system and access or modify files outside the intended directory, potentially leading to information disclosure or system compromise. The vulnerability has public proof-of-concept code available, though the CVSS score of 3.8 is relatively low due to the requirement for authenticated administrative access, making this a lower-priority but still exploitable issue in environments where admin credentials may be compromised.
An issue in the component /stl/actions/download?filePath of SSCMS v7.3.1 allows attackers to execute a directory traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.