Gilacms Gila_cms

25 CVEs affecting Gilacms Gila_cms. Latest disclosed: 2024-08-12. Critical: 1, High: 8.

Top CVEs affecting Gilacms Gila_cms
CVESeverityScorePublishedSummary
CVE-2020-5514Critical9.12020-01-06Gila CMS 1.11.8 allows Unrestricted Upload of a File with a Dangerous Type via .phar or .phtml to the lzld/thumb?src= URI.
CVE-2020-20726High8.82023-06-20Cross Site Request Forgery vulnerability in Gila GilaCMS v.1.11.4 allows a remote attacker to execute arbitrary code via the cm/update_rows/user parameter.
CVE-2020-20693High8.82021-09-27A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts.
CVE-2019-20804High8.82020-05-21Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account.
CVE-2019-11456High8.82019-04-22Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code.
CVE-2021-37777High7.52021-10-04Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference (IDOR). Thumbnails uploaded by one site owner are visible by another site owner just by knowin…
CVE-2020-20692High7.22021-09-27GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php.
CVE-2020-28692High7.22020-11-16In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files.
CVE-2020-5515High7.22020-01-06Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection.
CVE-2020-5513Medium6.82020-01-06Gila CMS 1.11.8 allows /cm/delete?t=../ Directory Traversal.
CVE-2020-5512Medium6.82020-01-06Gila CMS 1.11.8 allows /admin/media?path=../ Path Traversal.
CVE-2020-20523Medium6.12023-08-11Cross Site Scripting (XSS) vulnerability in adm_user parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary code during the Gila CM…
CVE-2019-20803Medium6.12020-05-21Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme.
CVE-2019-17535Medium6.12019-10-13Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-9647Medium6.12019-06-05Gila CMS 1.9.1 has XSS.
CVE-2021-39486Medium5.42021-10-04A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. An attacker can use this to steal cookies, passwords or to run arbitrary code on a vic…
CVE-2020-20696Medium5.42021-09-27A cross-site scripting (XSS) vulnerability in /admin/content/post of GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted pa…
CVE-2020-20695Medium5.42021-09-27A stored cross-site scripting (XSS) vulnerability in GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
CVE-2019-17536Medium4.92019-10-13Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs t…
CVE-2019-16679Medium4.92019-09-21Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.