CVE-2019-10708

CRITICAL

S-CMS PHP 1.0 - SQL Injection via scms.php id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10708. PoCs published by stavhaygn.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2019-10708, a SQL injection vulnerability in SCMS. The exploit uses time-based blind SQL injection with multiprocessing to extract database names and admin credentials.

Description

S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter.

Exploits (1)

nomisec WORKING POC 1 stars

by stavhaygn · poc

https://github.com/stavhaygn/CVE-2019-10708

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-10708, a SQL injection vulnerability in SCMS. The exploit uses time-based blind SQL injection with multiprocessing to extract database names and admin credentials.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: SCMS (versions before 20190401)

No auth needed

Prerequisites: Access to the vulnerable SCMS endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

http://www.iwantacve.cn/index.php/archives/185/

Scores

CVSS v3 9.8

EPSS 0.0264

EPSS Percentile 83.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

s-cms/s-cms 1.0

Published Apr 02, 2019

Tracked Since Feb 18, 2026