gxlcms CVE Vulnerabilities & Metrics

Focus on gxlcms vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About gxlcms Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with gxlcms. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total gxlcms CVEs: 15
Earliest CVE date: 03 Oct 2017, 01:29 UTC
Latest CVE date: 12 Aug 2021, 15:15 UTC

Latest CVE reference: CVE-2020-20975

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical gxlcms CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 6.03

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	0
4.0-6.9	10
7.0-8.9	5
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS gxlcms CVEs

These are the five CVEs with the highest CVSS scores for gxlcms, sorted by severity first and recency.

CVE-2020-20975 gxlcms Published on 12 Aug 2021, 15:15 UTC (CVSS: 7.5)
In \lib\admin\action\dataaction.class.php in Gxlcms v1.1, SQL Injection exists via the $filename parameter.
CVE-2018-18488 gxlcms Published on 18 Oct 2018, 21:29 UTC (CVSS: 7.5)
In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, SQL Injection exists via the ids[] parameter.
CVE-2018-9848 gxlcms Published on 07 Apr 2018, 21:29 UTC (CVSS: 7.5)
In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the config[upload_class] value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an Admin-Upload-Upload request.
CVE-2018-9847 gxlcms Published on 07 Apr 2018, 21:29 UTC (CVSS: 7.5)
In Gxlcms QY v1.0.0713, the update function in Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to execute arbitrary PHP code by placing this code into a template.
CVE-2018-9247 gxlcms Published on 04 Apr 2018, 00:29 UTC (CVSS: 7.5)
The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then using INTO OUTFILE with a .php filename.

All CVEs for gxlcms

CVE-2020-20975 gxlcms vulnerability CVSS: 7.5 12 Aug 2021, 15:15 UTC

In \lib\admin\action\dataaction.class.php in Gxlcms v1.1, SQL Injection exists via the $filename parameter.

CVE-2018-18488 gxlcms vulnerability CVSS: 7.5 18 Oct 2018, 21:29 UTC

In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, SQL Injection exists via the ids[] parameter.

CVE-2018-18487 gxlcms vulnerability CVSS: 5.0 18 Oct 2018, 21:29 UTC

In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, the database backup filename generation uses mt_rand() unsafely, resulting in predictable database backup file locations.

CVE-2018-16655 gxlcms vulnerability CVSS: 4.3 07 Sep 2018, 05:29 UTC

Gxlcms 1.0 has XSS via the PATH_INFO to gx/lib/ThinkPHP/Tpl/ThinkException.tpl.php.

CVE-2018-16437 gxlcms vulnerability CVSS: 4.0 05 Sep 2018, 20:29 UTC

Gxlcms 2.0 before bug fix 20180915 has Directory Traversal exploitable by an administrator.

CVE-2018-16436 gxlcms vulnerability CVSS: 6.5 05 Sep 2018, 20:29 UTC

Gxlcms 2.0 before bug fix 20180915 has SQL Injection exploitable by an administrator.

CVE-2018-15177 gxlcms vulnerability CVSS: 6.8 08 Aug 2018, 00:29 UTC

In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account.

CVE-2018-14685 gxlcms vulnerability CVSS: 5.0 28 Jul 2018, 23:29 UTC

The add function in www/Lib/Lib/Action/Admin/TplAction.class.php in Gxlcms v1.1.4 allows remote attackers to read arbitrary files via a crafted index.php?s=Admin-Tpl-ADD-id request, related to Lib/Common/Admin/function.php.

CVE-2018-9852 gxlcms vulnerability CVSS: 5.0 08 Apr 2018, 02:29 UTC

In Gxlcms QY v1.0.0713, Lib\Lib\Action\Home\HitsAction.class.php allows remote attackers to read data from a database by embedding a FROM clause in a query string within a Home-Hits request, as demonstrated hy sid=user,password%20from%20mysql.user%23.

CVE-2018-9851 gxlcms vulnerability CVSS: 5.0 08 Apr 2018, 02:29 UTC

In Gxlcms QY v1.0.0713, Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to read any file via a modified pathname in an Admin-Tpl request, as demonstrated by use of '|' instead of '/' as a directory separator, in conjunction with a ".." sequence.

CVE-2018-9850 gxlcms vulnerability CVSS: 6.4 08 Apr 2018, 02:29 UTC

In Gxlcms QY v1.0.0713, Lib\Lib\Action\Admin\DataAction.class.php allows remote attackers to delete any file via directory traversal sequences in the id parameter of an Admin-Data-del request.

CVE-2018-9848 gxlcms vulnerability CVSS: 7.5 07 Apr 2018, 21:29 UTC

In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the config[upload_class] value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an Admin-Upload-Upload request.

CVE-2018-9847 gxlcms vulnerability CVSS: 7.5 07 Apr 2018, 21:29 UTC

In Gxlcms QY v1.0.0713, the update function in Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to execute arbitrary PHP code by placing this code into a template.

CVE-2018-9247 gxlcms vulnerability CVSS: 7.5 04 Apr 2018, 00:29 UTC

The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then using INTO OUTFILE with a .php filename.

CVE-2017-14979 gxlcms vulnerability CVSS: 5.0 03 Oct 2017, 01:29 UTC

Gxlcms uses an unsafe character-replacement approach in an attempt to restrict access, which allows remote attackers to read arbitrary files via modified pathnames in the s parameter to index.php, related to Lib/Admin/Action/TplAction.class.php and Lib/Admin/Common/function.php.