彙總 cszcms 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 SQL 注入、CSRF與SSRF 相關,可能在 軟體部署與生產負載 場景中帶來 資料外洩與檔案覆寫 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2021-47738 | CSZ CMS 1.2.7 contains a persistent cross-site scripting vulnerability that allows unauthorized users to embed malicious JavaScript in private messages. Attackers can send messages with script payloads in the user-agent header, which will execute when an admin views the message in the backend dashboard. | [email protected] | 5.1 | 0.25% | 2025-12-23 | 2026-06-17 |
| CVE-2021-47737 | CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks. | [email protected] | 5.1 | 0.24% | 2025-12-23 | 2026-06-17 |
| CVE-2024-58307 | CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information. | [email protected] | 9.3 | 0.44% | 2025-12-11 | 2026-06-17 |
| CVE-2025-63608 | A SQL injection vulnerability exists in CSZ-CMS <=1.3.0 in the Form Builder view functionality. The vulnerability is located in the field parameter of the form viewing feature, allowing authenticated administrators to execute arbitrary SQL queries. | [email protected] | 5.4 | 0.18% | 2025-10-30 | 2026-06-17 |
| CVE-2025-29084 | SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Upgrade.php file. | [email protected] | 6.5 | 0.35% | 2025-09-23 | 2026-06-17 |
| CVE-2025-29083 | SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Plugin_Manager.php file. | [email protected] | 6.5 | 0.35% | 2025-09-23 | 2026-06-17 |
| CVE-2024-27752 | Cross Site Scripting vulnerability in CSZ CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the Default Keyword field in the settings function. | [email protected] | 5.4 | 0.56% | 2024-04-19 | 2026-06-17 |
| CVE-2024-27734 | A Cross Site Scripting vulnerability in CSZ CMS v.1.3.0 allows an attacker to execute arbitrary code via a crafted script to the Site Name fields of the Site Settings component. | [email protected] | 6.1 | 0.49% | 2024-03-01 | 2026-06-17 |
| CVE-2024-25414 | An arbitrary file upload vulnerability in /admin/upgrade of CSZ CMS v1.3.0 allows attackers to execute arbitrary code via uploading a crafted Zip file. | [email protected] | 9.8 | 1.61% | 2024-02-15 | 2026-06-17 |
| CVE-2023-41601 | Multiple cross-site scripting (XSS) vulnerabilities in install/index.php of CSZ CMS v1.3.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Database Username or Database Host parameters. | [email protected] | 6.1 | 0.38% | 2023-09-06 | 2026-06-17 |
| CVE-2023-39599 | Cross-Site Scripting (XSS) vulnerability in CSZ CMS v.1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Social Settings parameter. | [email protected] | 5.4 | 0.49% | 2023-08-22 | 2026-06-17 |
| CVE-2023-38911 | A Cross-Site Scripting (XSS) vulnerability in CSZ CMS 1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Gallery parameter in the YouTube URL fields. | [email protected] | 5.4 | 0.47% | 2023-08-18 | 2026-06-17 |
| CVE-2023-38910 | CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin. | [email protected] | 6.1 | 0.44% | 2023-08-18 | 2026-06-17 |
| CVE-2020-19786 | File upload vulnerability in CSKaza CSZ CMS v.1.2.2 fixed in v1.2.4 allows attacker to execute aritrary commands and code via crafted PHP file. | [email protected] | 8.8 | 0.80% | 2023-03-23 | 2026-06-16 |
| CVE-2022-28997 | CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forgery (SSRF) which can be leveraged to leak sensitive data via a local file inclusion at /admin/filemanager/connector/. | [email protected] | 7.5 | 1.94% | 2022-05-23 | 2026-06-17 |
| CVE-2022-27165 | CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Plugin_manager_setstatus | [email protected] | 9.8 | 1.07% | 2022-04-12 | 2026-06-17 |
| CVE-2022-27164 | CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_viewUsers | [email protected] | 9.8 | 1.07% | 2022-04-12 | 2026-06-17 |
| CVE-2022-27163 | CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_editUser | [email protected] | 9.8 | 1.07% | 2022-04-12 | 2026-06-17 |
| CVE-2022-27162 | CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_editUser | [email protected] | 9.8 | 1.07% | 2022-04-12 | 2026-06-17 |
| CVE-2022-27161 | Csz Cms 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_viewUsers | [email protected] | 9.8 | 1.23% | 2022-04-12 | 2026-06-17 |