Every CVE whose affected-product data names Gilacms Gila Cms, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (25)
CVE-2020-5514 — CVSS 9.1 (critical): Gila CMS 1.11.8 allows Unrestricted Upload of a File with a Dangerous Type via .phar or .phtml to the lzld/thumb?src= URI.
CVE-2020-20693 — CVSS 8.8 (high): A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts.
CVE-2020-20726 — CVSS 8.8 (high): Cross Site Request Forgery vulnerability in Gila GilaCMS v.1.11.4 allows a remote attacker to execute arbitrary code via the…
CVE-2019-20804 — CVSS 8.8 (high): Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account.
CVE-2021-37777 — CVSS 7.5 (high): Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference (IDOR). Thumbnails uploaded by one site owner are visible by another site…
CVE-2020-20692 — CVSS 7.2 (high): GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php.
CVE-2020-28692 — CVSS 7.2 (high): In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files.
CVE-2019-20803 — CVSS 6.1 (medium): Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme.
CVE-2019-17535 — CVSS 6.1 (medium): Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to…
CVE-2020-20523 — CVSS 6.1 (medium): Cross Site Scripting (XSS) vulnerability in adm_user parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary…
CVE-2020-20696 — CVSS 5.4 (medium): A cross-site scripting (XSS) vulnerability in /admin/content/post of GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or…
CVE-2020-20695 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a…
CVE-2021-39486 — CVSS 5.4 (medium): A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. An attacker can use this to steal cookies, passwords or to run…
CVE-2019-17536 — CVSS 4.9 (medium): Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php…
CVE-2019-11515 — CVSS 4.9 (medium): core/classes/db_backup.php in Gila CMS 1.10.1 allows admin/db_backup?download= absolute path traversal to read arbitrary files.
CVE-2020-26624 — CVSS 3.8 (low): A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts…
CVE-2020-26625 — CVSS 3.8 (low): A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts…
CVE-2020-26623 — CVSS 3.8 (low): SQL Injection vulnerability discovered in Gila CMS 1.15.4 and earlier allows a remote attacker to execute arbitrary web scripts via the…
CVE-2024-7657 — CVSS 3.5 (low): A vulnerability classified as problematic was found in Gila CMS 1.10.9. This vulnerability affects unknown code of the file…