汇总 ofcms_project 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
历史漏洞主要涉及 CSRF与文件包含 等问题,部分漏洞可能导致 未授权访问,并影响 生产负载与软件部署 相关场景。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-1557 | A vulnerability, which was classified as problematic, was found in OFCMS 1.1.3. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.3 | 0.27% | 2025-02-22 | 2025-06-04 |
| CVE-2024-48236 | An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the FileOutputStream function in the write String method of the ofcms-admin\src\main\java\com\ofsoft\cms\core\uitle\FileUtils.java file | [email protected] | 6.5 | 0.72% | 2024-10-25 | 2025-04-18 |
| CVE-2024-48235 | An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the save method of the TemplateController.java file. | [email protected] | 6.5 | 0.72% | 2024-10-25 | 2025-04-18 |
| CVE-2024-9411 | A vulnerability classified as problematic has been found in OFCMS 1.1.2. This affects the function add of the file /admin/system/dict/add.json?sqlid=system.dict.save. The manipulation of the argument dict_value leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.3 | 0.34% | 2024-10-01 | 2025-11-13 |
| CVE-2024-34256 | OFCMS V1.1.2 is vulnerable to SQL Injection via the new table function. | [email protected] | 9.8 | 0.65% | 2024-05-14 | 2025-06-03 |
| CVE-2023-51807 | Cross Site Scripting vulnerability in OFCMS v.1.14 allows a remote attacker to obtain sensitive information via a crafted payload to the title addition component. | [email protected] | 5.4 | 0.45% | 2024-01-16 | 2025-06-20 |
| CVE-2023-24760 | An issue found in Ofcms v.1.1.4 allows a remote attacker to to escalate privileges via the respwd method in SysUserController. | [email protected] | 8.8 | 0.84% | 2023-03-16 | 2024-11-21 |
| CVE-2022-29653 | OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json. | [email protected] | 6.1 | 0.52% | 2022-06-02 | 2024-11-21 |
| CVE-2022-27961 | A cross-site scripting (XSS) vulnerability at /ofcms/company-c-47 in OFCMS v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment text box. | [email protected] | 5.4 | 0.42% | 2022-04-10 | 2024-11-21 |
| CVE-2022-27960 | Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' personal information. | [email protected] | 5.4 | 0.43% | 2022-04-10 | 2024-11-21 |
| CVE-2019-9617 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadFile URI. | [email protected] | 8.8 | 2.80% | 2019-03-06 | 2024-11-21 |
| CVE-2019-9616 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadScrawl URI. | [email protected] | 7.2 | 2.76% | 2019-03-06 | 2024-11-21 |
| CVE-2019-9615 | An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java. | [email protected] | 7.2 | 1.32% | 2019-03-06 | 2024-11-21 |
| CVE-2019-9614 | An issue was discovered in OFCMS before 1.1.3. A command execution vulnerability exists via a template file with '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("' followed by the command. | [email protected] | 8.8 | 2.62% | 2019-03-06 | 2024-11-21 |
| CVE-2019-9613 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadVideo URI. | [email protected] | 7.2 | 2.76% | 2019-03-06 | 2024-11-21 |
| CVE-2019-9612 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/upload URI. | [email protected] | 8.8 | 2.74% | 2019-03-06 | 2024-11-21 |
| CVE-2019-9611 | An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/template/getTemplates.html?res_path=res directory traversal, with ../ in the dir parameter, to write arbitrary content (in the file_content parameter) into an arbitrary file (specified by the file_name parameter). This is related to the save function in TemplateController.java. | [email protected] | 6.5 | 1.47% | 2019-03-06 | 2024-11-21 |
| CVE-2019-9610 | An issue was discovered in OFCMS before 1.1.3. It has admin/cms/template/getTemplates.html?res_path=res&up_dir=../ directory traversal, related to the getTemplates function in TemplateController.java. | [email protected] | 4.3 | 1.39% | 2019-03-06 | 2024-11-21 |
| CVE-2019-9609 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/editUploadImage URI. | [email protected] | 8.8 | 2.74% | 2019-03-06 | 2024-11-21 |
| CVE-2019-9608 | An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadImage URI. | [email protected] | 8.8 | 2.74% | 2019-03-06 | 2024-11-21 |