idreamsoft CVE Vulnerabilities & Metrics

Focus on idreamsoft vulnerabilities and metrics.

Last updated: 08 May 2025, 22:25 UTC

About idreamsoft Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with idreamsoft. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total idreamsoft CVEs: 28
Earliest CVE date: 10 Jul 2018, 20:29 UTC
Latest CVE date: 08 Sep 2023, 03:15 UTC

Latest CVE reference: CVE-2023-40953

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical idreamsoft CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.36

Max CVSS: 10.0

Critical CVEs (≥9): 2

CVSS Range vs. Count

Range Count
0.0-3.9 4
4.0-6.9 19
7.0-8.9 3
9.0-10.0 2

CVSS Distribution Chart

Top 5 Highest CVSS idreamsoft CVEs

These are the five CVEs with the highest CVSS scores for idreamsoft, sorted by severity first and recency.

All CVEs for idreamsoft

CVE-2023-40953 idreamsoft vulnerability CVSS: 0 08 Sep 2023, 03:15 UTC

icms 7.0.16 is vulnerable to Cross Site Request Forgery (CSRF).

CVE-2023-39806 idreamsoft vulnerability CVSS: 0 10 Aug 2023, 20:15 UTC

iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the bakupdata function.

CVE-2023-39805 idreamsoft vulnerability CVSS: 0 10 Aug 2023, 20:15 UTC

iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php.

CVE-2022-41496 idreamsoft vulnerability CVSS: 0 13 Oct 2022, 21:15 UTC

iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php.

CVE-2021-44978 idreamsoft vulnerability CVSS: 7.5 04 Feb 2022, 16:15 UTC

iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution.

CVE-2021-44977 idreamsoft vulnerability CVSS: 5.0 04 Feb 2022, 16:15 UTC

In iCMS <=8.0.0, a directory traversal vulnerability allows an attacker to read arbitrary files.

CVE-2020-21141 idreamsoft vulnerability CVSS: 6.8 12 Nov 2021, 22:15 UTC

iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add.

CVE-2020-26641 idreamsoft vulnerability CVSS: 6.8 28 May 2021, 20:15 UTC

A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts.

CVE-2020-18070 idreamsoft vulnerability CVSS: 6.4 30 Apr 2021, 00:15 UTC

Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php".

CVE-2020-19527 idreamsoft vulnerability CVSS: 10.0 10 Dec 2020, 23:15 UTC

iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.

CVE-2020-19142 idreamsoft vulnerability CVSS: 10.0 10 Dec 2020, 23:15 UTC

iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.

CVE-2020-24739 idreamsoft vulnerability CVSS: 4.3 10 Sep 2020, 14:15 UTC

A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted.

CVE-2019-17583 idreamsoft vulnerability CVSS: 5.0 14 Oct 2019, 16:15 UTC

idreamsoft iCMS 7.0.15 allows remote attackers to cause a denial of service (resource consumption) via a query for many comments, as demonstrated by the admincp.php?app=comment&perpage= substring followed by a large positive integer.

CVE-2019-17552 idreamsoft vulnerability CVSS: 7.5 14 Oct 2019, 13:15 UTC

An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload.

CVE-2019-16677 idreamsoft vulnerability CVSS: 5.8 21 Sep 2019, 20:15 UTC

An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.

CVE-2019-11427 idreamsoft vulnerability CVSS: 4.3 22 Apr 2019, 11:29 UTC

An XSS issue was discovered in app/search/search.app.php in idreamsoft iCMS 7.0.14 via the public/api.php?app=search q parameter.

CVE-2019-11426 idreamsoft vulnerability CVSS: 4.3 22 Apr 2019, 11:29 UTC

An XSS issue was discovered in app/admincp/template/admincp.header.php in idreamsoft iCMS 7.0.14 via the admincp.php?app=config tab parameter.

CVE-2019-8902 idreamsoft vulnerability CVSS: 4.9 18 Feb 2019, 14:29 UTC

An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.

CVE-2019-7237 idreamsoft vulnerability CVSS: 5.0 30 Jan 2019, 21:29 UTC

An issue was discovered in idreamsoft iCMS 7.0.13 on Windows. editor/editor.admincp.php allows admincp.php?app=files&do=browse ..\ Directory Traversal.

CVE-2019-7236 idreamsoft vulnerability CVSS: 5.0 30 Jan 2019, 21:29 UTC

An issue was discovered in idreamsoft iCMS 7.0.13. editor/editor.admincp.php allows admincp.php?app=editor&do=fileManager dir=../ Directory Traversal.

CVE-2019-7235 idreamsoft vulnerability CVSS: 6.4 30 Jan 2019, 21:29 UTC

An issue was discovered in idreamsoft iCMS 7.0.13. admincp.php?app=apps&do=save allows directory traversal via _app=/../ to designate an arbitrary directory because of an apps.admincp.php error. This directory can then be deleted via an admincp.php?app=apps&do=uninstall request.

CVE-2019-7234 idreamsoft vulnerability CVSS: 6.4 30 Jan 2019, 21:29 UTC

An issue was discovered in idreamsoft iCMS 7.0.13. admincp.php?app=apps&do=save allows directory traversal via _app=/../ to begin the process of creating a ZIP archive file with the complete contents of any directory because of an apps.admincp.php error. This ZIP archive file can then be downloaded via an admincp.php?app=apps&do=pack request.

CVE-2019-7160 idreamsoft vulnerability CVSS: 7.5 29 Jan 2019, 16:29 UTC

idreamsoft iCMS 7.0.13 allows admincp.php?app=files ../ Directory Traversal via the udir parameter to files.admincp.php, resulting in execution of arbitrary PHP code from a ZIP file via the admincp.php?app=apps zipfile parameter to apps.admincp.php.

CVE-2018-16366 idreamsoft vulnerability CVSS: 6.8 02 Sep 2018, 22:29 UTC

An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=user&do=save allows CSRF.

CVE-2018-16365 idreamsoft vulnerability CVSS: 6.8 02 Sep 2018, 22:29 UTC

An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=group&do=save allows CSRF.

CVE-2018-16332 idreamsoft vulnerability CVSS: 6.8 02 Sep 2018, 03:29 UTC

An issue was discovered in iCMS 7.0.9. There is an admincp.php?app=article&do=update CSRF vulnerability.

CVE-2018-16320 idreamsoft vulnerability CVSS: 6.5 01 Sep 2018, 18:29 UTC

idreamsoft iCMS 7.0.11 allows admincp.php?app=config Directory Traversal, resulting in execution of arbitrary PHP code from a ZIP file.

CVE-2018-13865 idreamsoft vulnerability CVSS: 4.3 10 Jul 2018, 20:29 UTC

An issue was discovered in idreamsoft iCMS 7.0.9. XSS exists via the callback parameter in a public/api.php uploadpic request, bypassing the iWAF protection mechanism.