Search for packages
| purl | pkg:maven/net.mingsoft/ms-mcms@5.2.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-38k3-shgt-vqb7
Aliases: CVE-2022-4640 GHSA-6rvv-h8g7-728w |
Mingsoft MCMS Cross-site Scripting vulnerability A vulnerability has been found in Mingsoft MCMS 5.2.9 and classified as problematic. Affected by this vulnerability is the function save of the component Article Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216499. |
Affected by 6 other vulnerabilities. |
|
VCID-3awj-qev5-r7bc
Aliases: CVE-2022-26585 GHSA-mx3x-rmrh-9wf6 |
Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list. |
Affected by 14 other vulnerabilities. |
|
VCID-3reu-a53v-6udk
Aliases: CVE-2022-36599 GHSA-w3rc-2whg-w934 |
Mingsoft MCMS SQL injection vulnerability in /mdiy/model/delete URI via models List Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists. |
Affected by 9 other vulnerabilities. |
|
VCID-4cwx-u7yx-hkfs
Aliases: CVE-2022-29647 GHSA-gp39-qj5f-43qv |
Cross Site Request Forgery in Mingsoft MCMS An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. |
Affected by 14 other vulnerabilities. |
|
VCID-7g4x-ecdy-ubfd
Aliases: CVE-2022-4375 GHSA-hc5g-xf64-j49j |
Mingsoft MCMS vulnerable to SQL Injection A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.2.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215196. |
Affected by 6 other vulnerabilities. |
|
VCID-84a8-412b-3uhn
Aliases: CVE-2023-3990 GHSA-rxvj-5mv6-j5mc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A vulnerability classified as problematic has been found in Mingsoft MCMS up to 5.3.1. This affects an unknown part of the file search.do of the component HTTP POST Request Handler. The manipulation of the argument style leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-235611. |
Affected by 4 other vulnerabilities. |
|
VCID-e4nq-cu9e-47fk
Aliases: CVE-2022-27340 GHSA-g94p-h263-c26q |
MCMS v5.2.7 contains a Cross-Site Request Forgery (CSRF) via /role/saveOrUpdateRole.do. This vulnerability allows attackers to escalate privileges and modify data. |
Affected by 14 other vulnerabilities. |
|
VCID-fd75-5u27-mkge
Aliases: CVE-2022-47042 GHSA-65v6-3c9m-hmrp |
Arbitrary file write in net.mingsoft:ms-mcms MCMS v5.2.10 and below was discovered to contain an arbitrary file write vulnerability via the component ms/template/writeFileContent.do. |
Affected by 5 other vulnerabilities. |
|
VCID-gbhx-fq47-nqcg
Aliases: CVE-2023-50578 GHSA-3vvh-8c65-32j4 |
Mingsoft MCMS SQL injection Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/list.do. |
Affected by 6 other vulnerabilities. |
|
VCID-kv2x-97pe-ekbc
Aliases: CVE-2022-30506 GHSA-6xj9-hpq3-w3qw |
Code injection in MCMS An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file. |
Affected by 14 other vulnerabilities. |
|
VCID-nxdv-gre3-b3fu
Aliases: CVE-2026-2666 GHSA-r9wp-qq53-qvjx |
mingSoft MCMS does not properly restrict file uploads A flaw has been found in mingSoft MCMS 6.1.1. The affected element is an unknown function of the file /ms/file/uploadTemplate.do of the component Template Archive Handler. Executing a manipulation of the argument File can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. |
Affected by 0 other vulnerabilities. |
|
VCID-pgm5-u97w-mkft
Aliases: CVE-2025-60837 GHSA-wvv5-5g6x-hp7j |
MCMS reflected cross-site scripting (XSS) vulnerability A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. |
Affected by 1 other vulnerability. |
|
VCID-pn6s-84fa-cba8
Aliases: CVE-2025-29287 GHSA-3922-2r6r-r4fv |
MCMS allows arbitrary file uploads in the ueditor component An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file. |
Affected by 2 other vulnerabilities. |
|
VCID-qhkc-d67r-5bdk
Aliases: CVE-2022-36272 GHSA-hmj3-mqgw-2fq6 |
Mingsoft MCMS SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter. |
Affected by 9 other vulnerabilities. |
|
VCID-qrsb-4t7r-r7aq
Aliases: CVE-2024-22567 GHSA-7qw4-9r68-2rmx |
mingSoft MCMS File Upload vulnerability File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do. |
Affected by 3 other vulnerabilities. |
|
VCID-uujv-1xyj-gqbz
Aliases: CVE-2022-22930 GHSA-8wq7-hhjj-fpqv |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code via a crafted payload. |
Affected by 9 other vulnerabilities. |
|
VCID-yyd2-2wag-pkde
Aliases: CVE-2022-4350 GHSA-p46c-m4j7-mjvq |
Mingsoft MCMS vulnerable to Cross-site Scripting A vulnerability, which was classified as problematic, was found in Mingsoft MCMS 5.2.8. Affected is an unknown function of the file search.do. The manipulation of the argument content_title leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215112. |
Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-14q8-uvkd-nfga | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.web.DictAction#list. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability through which attacker can get sensitive information from the database. |
CVE-2021-46383
GHSA-qqc2-pv68-q72h |
| VCID-43n1-8njz-13cy | Unrestricted Upload of File with Dangerous Type File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload. |
CVE-2021-46386
GHSA-cwx9-rp4w-4545 |
| VCID-ggj3-wf7f-cffw | Improper Authentication https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: RCE. The impact is: execute arbitrary code (remote). The attack vector is: ${"freemarker.template.utility.Execute"?new()("calc")}. ¶¶ MCMS has a pre-auth RCE vulnerability through which allows unauthenticated attacker with network access via http to compromise MCMS. Successful attacks of this vulnerability can result in takeover of MCMS. |
CVE-2021-46384
GHSA-qwh6-xwj4-9cjg |
| VCID-kmww-m8hg-2fh7 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java. |
CVE-2022-23899
GHSA-968c-mm28-jfw4 |
| VCID-p6m1-wjxq-xfau | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.FormDataAction#queryData. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability through which attacker can get sensitive information from the database. |
CVE-2021-46385
GHSA-phwq-9gc4-q5c8 |
| VCID-sdrg-1mmp-ffba | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml. |
CVE-2022-23898
GHSA-p94q-9q2m-pfh2 |
| VCID-w7nu-3yp1-cqej | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module. |
CVE-2021-46063
GHSA-gc79-gh4f-9g6w |