Ofcms_project Ofcms
20 CVEs affecting Ofcms_project Ofcms. Latest disclosed: 2025-02-22. Critical: 1, High: 9.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-34256 | Critical | 9.8 | 2024-05-14 | OFCMS V1.1.2 is vulnerable to SQL Injection via the new table function. |
CVE-2023-24760 | High | 8.8 | 2023-03-16 | An issue found in Ofcms v.1.1.4 allows a remote attacker to to escalate privileges via the respwd method in SysUserController. |
CVE-2019-9617 | High | 8.8 | 2019-03-06 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for exam… |
CVE-2019-9614 | High | 8.8 | 2019-03-06 | An issue was discovered in OFCMS before 1.1.3. A command execution vulnerability exists via a template file with '<#assign ex="freemarker.template.utility.Exec… |
CVE-2019-9612 | High | 8.8 | 2019-03-06 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for exam… |
CVE-2019-9609 | High | 8.8 | 2019-03-06 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for exam… |
CVE-2019-9608 | High | 8.8 | 2019-03-06 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for exam… |
CVE-2019-9616 | High | 7.2 | 2019-03-06 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for exam… |
CVE-2019-9615 | High | 7.2 | 2019-03-06 | An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java. |
CVE-2019-9613 | High | 7.2 | 2019-03-06 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for exam… |
CVE-2024-48236 | Medium | 6.5 | 2024-10-25 | An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the FileOutputStream function in the write String method of the ofcms-admin\src\… |
CVE-2024-48235 | Medium | 6.5 | 2024-10-25 | An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the save method of the TemplateController.java file. |
CVE-2019-9611 | Medium | 6.5 | 2019-03-06 | An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/template/getTemplates.html?res_path=res directory traversal, with ../ in the dir parameter… |
CVE-2022-29653 | Medium | 6.1 | 2022-06-02 | OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json. |
CVE-2023-51807 | Medium | 5.4 | 2024-01-16 | Cross Site Scripting vulnerability in OFCMS v.1.14 allows a remote attacker to obtain sensitive information via a crafted payload to the title addition compone… |
CVE-2022-27961 | Medium | 5.4 | 2022-04-10 | A cross-site scripting (XSS) vulnerability at /ofcms/company-c-47 in OFCMS v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted paylo… |
CVE-2022-27960 | Medium | 5.4 | 2022-04-10 | Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' per… |
CVE-2025-1557 | Medium | 4.3 | 2025-02-22 | A vulnerability, which was classified as problematic, was found in OFCMS 1.1.3. Affected is an unknown function. The manipulation leads to cross-site request f… |
CVE-2019-9610 | Medium | 4.3 | 2019-03-06 | An issue was discovered in OFCMS before 1.1.3. It has admin/cms/template/getTemplates.html?res_path=res&up_dir=../ directory traversal, related to the getTempl… |
CVE-2024-9411 | Low | 3.5 | 2024-10-01 | A vulnerability classified as problematic has been found in OFCMS 1.1.2. This affects the function add of the file /admin/system/dict/add.json?sqlid=system.dic… |