Ulicms CVEs and Security Vulnerabilities

Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (7 CVEs found)

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2023-53923	1 Ulicms	1 Ulicms	2025-12-18	9.8 Critical
UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST request to /dist/admin/index.php with specific parameters to generate a new admin user with full system access.
CVE-2023-53914	1 Ulicms	1 Ulicms	2025-12-18	9.8 Critical
UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative account with full system access.
CVE-2023-53924	1 Ulicms	1 Ulicms	2025-12-18	8.8 High
UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads.
CVE-2023-53925	1 Ulicms	1 Ulicms	2025-12-18	5.4 Medium
UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users.
CVE-2020-12704	1 Ulicms	1 Ulicms	2024-11-21	6.1 Medium
UliCMS before 2020.2 has PageController stored XSS.
CVE-2020-12703	1 Ulicms	1 Ulicms	2024-11-21	6.1 Medium
UliCMS before 2020.2 has XSS during PackageController uninstall.
CVE-2019-11398	1 Ulicms	1 Ulicms	2024-11-21	N/A
Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to admin/index.php?action=favicon.

Page 1 of 1.