U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:damicms:damicms:6.0.1
There are 4 matching records.
Displaying matches 1 through 4.
Vuln ID Summary CVSS Severity
CVE-2018-20571

DamiCMS 6.0.1 allows remote attackers to read arbitrary files via a crafted admin.php?s=Tpl/Add/id request, as demonstrated by admin.php?s=Tpl/Add/id/.\Public\Config\config.ini.php to read the global configuration file.

Published: December 28, 2018; 11:29:05 AM -0500
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2018-16239

An issue was discovered in damiCMS V6.0.1. It relies on the PHP time() function for cookies, which makes it possible to determine the cookie for an existing admin session via 10800 guesses.

Published: August 30, 2018; 6:29:00 PM -0400
V3.0: 9.8 CRITICAL
V2.0: 5.0 MEDIUM
CVE-2018-16238

An issue was discovered in damiCMS V6.0.1. Remote code execution can occur via PHP code in a multipart/form-data POST to the admin.php?s=/Tpl/Update.html URI. For example, this can update the Web/Tpl/default/head.html file.

Published: August 30, 2018; 6:29:00 PM -0400
V3.0: 7.2 HIGH
V2.0: 6.5 MEDIUM
CVE-2018-16237

An issue was discovered in damiCMS V6.0.1. There is Directory Traversal via '|' characters in the s parameter to admin.php, as demonstrated by an admin.php?s=Tpl/Add/id/c:|windows|win.ini URI.

Published: August 30, 2018; 6:29:00 PM -0400
V3.0: 2.7 LOW
V2.0: 4.0 MEDIUM