Gilacms Gila_cms
25 CVEs affecting Gilacms Gila_cms. Latest disclosed: 2024-08-12. Critical: 1, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2020-5514 | Critical | 9.1 | 2020-01-06 | Gila CMS 1.11.8 allows Unrestricted Upload of a File with a Dangerous Type via .phar or .phtml to the lzld/thumb?src= URI. |
CVE-2020-20726 | High | 8.8 | 2023-06-20 | Cross Site Request Forgery vulnerability in Gila GilaCMS v.1.11.4 allows a remote attacker to execute arbitrary code via the cm/update_rows/user parameter. |
CVE-2020-20693 | High | 8.8 | 2021-09-27 | A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts. |
CVE-2019-20804 | High | 8.8 | 2020-05-21 | Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account. |
CVE-2019-11456 | High | 8.8 | 2019-04-22 | Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code. |
CVE-2021-37777 | High | 7.5 | 2021-10-04 | Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference (IDOR). Thumbnails uploaded by one site owner are visible by another site owner just by knowin… |
CVE-2020-20692 | High | 7.2 | 2021-09-27 | GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php. |
CVE-2020-28692 | High | 7.2 | 2020-11-16 | In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files. |
CVE-2020-5515 | High | 7.2 | 2020-01-06 | Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection. |
CVE-2020-5513 | Medium | 6.8 | 2020-01-06 | Gila CMS 1.11.8 allows /cm/delete?t=../ Directory Traversal. |
CVE-2020-5512 | Medium | 6.8 | 2020-01-06 | Gila CMS 1.11.8 allows /admin/media?path=../ Path Traversal. |
CVE-2020-20523 | Medium | 6.1 | 2023-08-11 | Cross Site Scripting (XSS) vulnerability in adm_user parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary code during the Gila CM… |
CVE-2019-20803 | Medium | 6.1 | 2020-05-21 | Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme. |
CVE-2019-17535 | Medium | 6.1 | 2019-10-13 | Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647. |
CVE-2019-9647 | Medium | 6.1 | 2019-06-05 | Gila CMS 1.9.1 has XSS. |
CVE-2021-39486 | Medium | 5.4 | 2021-10-04 | A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. An attacker can use this to steal cookies, passwords or to run arbitrary code on a vic… |
CVE-2020-20696 | Medium | 5.4 | 2021-09-27 | A cross-site scripting (XSS) vulnerability in /admin/content/post of GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted pa… |
CVE-2020-20695 | Medium | 5.4 | 2021-09-27 | A stored cross-site scripting (XSS) vulnerability in GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file. |
CVE-2019-17536 | Medium | 4.9 | 2019-10-13 | Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs t… |
CVE-2019-16679 | Medium | 4.9 | 2019-09-21 | Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion. |