DamicmsCVEs & Vulnerabilities

11 CVEs affecting Damicms products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

damicms 11
CVE-2020-21236HIGH

A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie.

28 Dec 2021
8.8
CVSS
CVE-2020-18458HIGH

Cross Site Request Forgery (CSRF) vulnerability exists in DamiCMS v6.0.6 that can add an admin account via admin.php?s=/Admin/doadd.

12 Aug 2021
8.0
CVSS
CVE-2020-18451MEDIUM

Cross Site Scripting (XSS) vulnerability exists in DamiCMS v6.0.6 via the title parameter in the doadd function in LabelAction.class.php.

12 Aug 2021
4.8
CVSS
CVE-2018-14831MEDIUM

An arbitrary file read vulnerability in DamiCMS v6.0.0 allows remote authenticated administrators to read any files in the server via a crafted /admin.php?s=Tpl/Add/id/ URI.

10 Jul 2019
4.9
CVSS
CVE-2018-20571HIGH

DamiCMS 6.0.1 allows remote attackers to read arbitrary files via a crafted admin.php?s=Tpl/Add/id request, as demonstrated by admin.php?s=Tpl/Add/id/.\Public\Config\config.ini.php to read the global configuration file.

28 Dec 2018
7.5
CVSS
CVE-2018-16331HIGH

admin.php?s=/Admin/doedit in DamiCMS v6.0.0 allows CSRF to change the administrator account's password.

2 Sep 2018
8.8
CVSS
CVE-2018-16239CRITICAL

An issue was discovered in damiCMS V6.0.1. It relies on the PHP time() function for cookies, which makes it possible to determine the cookie for an existing admin session via 10800 guesses.

31 Aug 2018
9.8
CVSS
CVE-2018-16238HIGH

An issue was discovered in damiCMS V6.0.1. Remote code execution can occur via PHP code in a multipart/form-data POST to the admin.php?s=/Tpl/Update.html URI. For example, this can update the Web/Tpl/default/head.html file.

31 Aug 2018
7.2
CVSS
CVE-2018-16237LOW

An issue was discovered in damiCMS V6.0.1. There is Directory Traversal via '|' characters in the s parameter to admin.php, as demonstrated by an admin.php?s=Tpl/Add/id/c:|windows|win.ini URI.

31 Aug 2018
2.7
CVSS
CVE-2018-15844HIGHpoc

An issue was discovered in DamiCMS 6.0.0. There is an CSRF vulnerability that can revise the administrator account's password via /admin.php?s=/Admin/doedit.

26 Aug 2018
8.8
CVSS
CVE-2018-13031HIGH

DamiCMS v6.0.0 aand 6.1.0 allows CSRF via admin.php?s=/Admin/doadd to add an administrator account.

5 Jul 2018
8.8
CVSS
← PrevPage 1 / 1Next →