SetsucoCMS all versions allows remote authenticated attackers to conduct code injection attacks via unspecified vectors.

Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all versions allows remote attackers to hijack the authentication of an administrator to change settings via unspecified vectors.

SetsucoCMS all versions does not properly manage sessions, which allows remote attackers to disclose or alter unauthorized information via unspecified vectors.

SQL injection vulnerability in the SetsucoCMS all versions allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.

The Type_MLU_Read function in cmstypes.c in Little CMS (aka lcms2) allows remote attackers to obtain sensitive information or cause a denial of service via an image with a crafted ICC profile, which triggers an out-of-bounds heap read.

Directory traversal vulnerability in SAP CMS and CM Services allows attackers to upload arbitrary files via unspecified vectors.

SQL injection vulnerability in setseed-hub in SetSeed CMS 5.8.20, 5.11.2, and earlier allows remote attackers to execute arbitrary SQL commands via the loggedInUser cookie.

Multiple cross-site scripting (XSS) vulnerabilities in Hotaru.php in the Search plugin 1.3 for Hotaru CMS allow remote attackers to inject arbitrary web script or HTML via the (1) SITE_NAME parameter to admin_index.php, or the (2) return and (3) search parameters to index.php. NOTE: some of these details are obtained from third party information.

SQL injection vulnerability in article.php in SenseSites CommonSense CMS allows remote attackers to execute arbitrary SQL commands via the article_id parameter.

Multiple SQL injection vulnerabilities in SebracCMS (sbcms) 0.4 allow remote attackers to execute arbitrary SQL commands via (1) the recid parameter to cms/form/read.php, (2) the uname parameter to cms/index.php, and other unspecified vectors.