Filtered by vendor Maccms
Subscriptions
Total
35 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-50234 | 1 Maccms | 1 Maccms | 2025-08-12 | 6.5 Medium |
| MCCMS v2.7.0 has an SSRF vulnerability located in the index() method of the sys\apps\controllers\api\Gf.php file, where the pic parameter is processed. The pic parameter is decrypted using the sys_auth($pic, 1) function, which utilizes a hard-coded key Mc_Encryption_Key (bD2voYwPpNuJ7B8), defined in the db.php file. The decrypted URL is passed to the geturl() method, which uses cURL to make a request to the URL without proper security checks. An attacker can craft a malicious encrypted pic parameter, which, when decrypted, points to internal addresses or local file paths (such as http://127.0.0.1 or file://). By using the file:// protocol, the attacker can access arbitrary files on the local file system (e.g., file:///etc/passwd, file:///C:/Windows/System32/drivers/etc/hosts), allowing them to read sensitive configuration files, log files, and more, leading to information leakage or system exposure. The danger of this SSRF vulnerability includes accessing internal services and local file systems through protocols like http://, ftp://, and file://, which can result in sensitive data leakage, remote code execution, privilege escalation, or full system compromise, severely affecting the system's security and stability. | ||||
| CVE-2025-45475 | 1 Maccms | 1 Maccms | 2025-06-24 | 5.4 Medium |
| maccms10 v2025.1000.4047 is vulnerable to Server-Side request forgery (SSRF) in Friend Link Management. | ||||
| CVE-2025-45474 | 1 Maccms | 1 Maccms | 2025-06-19 | 7.3 High |
| maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings. | ||||
| CVE-2024-32391 | 1 Maccms | 1 Maccms | 2025-04-30 | 7.3 High |
| Cross Site Scripting vulnerability in MacCMS v.10 v.2024.1000.3000 allows a remote attacker to execute arbitrary code via a crafted payload. | ||||
| CVE-2024-46654 | 1 Maccms | 1 Maccms | 2025-04-28 | 4.8 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Add Scheduled Task module of Maccms10 v2024.1000.4040 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2017-17733 | 1 Maccms | 1 Maccms | 2025-04-20 | N/A |
| Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request. | ||||
| CVE-2022-44870 | 1 Maccms | 1 Maccms | 2025-04-09 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in maccms10 v2022.1000.3032 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the AD Management module. | ||||
| CVE-2025-28089 | 1 Maccms | 1 Maccms | 2025-04-07 | 9.1 Critical |
| maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) via the Scheduled Task function. | ||||
| CVE-2025-28090 | 1 Maccms | 1 Maccms | 2025-04-07 | 9.1 Critical |
| maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) in the Collection Custom Interface feature. | ||||
| CVE-2025-28091 | 1 Maccms | 1 Maccms | 2025-04-07 | 9.1 Critical |
| maccms10 v2025.1000.4047 has a Server-Side Request Forgery (SSRF) vulnerability via Add Article. | ||||
| CVE-2022-47872 | 1 Maccms | 1 Maccms | 2024-11-21 | 8.8 High |
| A Server-Side Request Forgery (SSRF) in maccms10 v2021.1000.2000 allows attackers to force the application to make arbitrary requests via a crafted payload injected into the Name parameter under the Interface address module. | ||||
| CVE-2022-35148 | 1 Maccms | 1 Maccms | 2024-11-21 | 6.5 Medium |
| maccms10 v2021.1000.1081 to v2022.1000.3031 was discovered to contain a SQL injection vulnerability via the table parameter at database/columns.html. | ||||
| CVE-2022-31303 | 1 Maccms | 1 Maccms | 2024-11-21 | 5.4 Medium |
| maccms10 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field. | ||||
| CVE-2022-31302 | 1 Maccms | 1 Maccms | 2024-11-21 | 5.4 Medium |
| maccms8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field. | ||||
| CVE-2022-27887 | 1 Maccms | 1 Maccms | 2024-11-21 | 6.1 Medium |
| Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/vod/data.html via the repeat parameter. | ||||
| CVE-2022-27886 | 1 Maccms | 1 Maccms | 2024-11-21 | 6.1 Medium |
| Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/ulog/index.html via the wd parameter. | ||||
| CVE-2022-27885 | 1 Maccms | 1 Maccms | 2024-11-21 | 6.1 Medium |
| Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/website/data.html via the select and input parameters. | ||||
| CVE-2022-27884 | 1 Maccms | 1 Maccms | 2024-11-21 | 6.1 Medium |
| Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/plog/index.html via the wd parameter. | ||||
| CVE-2022-26573 | 1 Maccms | 1 Maccms | 2024-11-21 | 6.1 Medium |
| Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/art/data.html via the select and input parameters. | ||||
| CVE-2021-45787 | 1 Maccms | 1 Maccms | 2024-11-21 | 5.4 Medium |
| There is a stored Cross Site Scripting (XSS) vulnerability in maccms v10 through adding videos. XSS code can be inserted at parameter positions including name and remarks. | ||||