Gathering Basic Web-CMS Vulnerability Data

Function

This API is used to gather basic web-CMS vulnerability data.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.

URI

GET /v5/{project_id}/vulnerability/cms-detail

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID, which is used to specify the project that an asset belongs to. After the project ID is configured, you can query assets in the project using the project ID. For details about how to obtain it, see Obtaining a Project ID. Constraints N/A Range The value can contain 1 to 256 characters. Default Value N/A

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Definition Enterprise project ID, which is used to filter assets in different enterprise projects. For details, see Obtaining an Enterprise Project ID. To query assets in all enterprise projects, set this parameter to all_granted_eps. Constraints You need to set this parameter only after the enterprise project function is enabled. Range The value can contain 1 to 256 characters. Default Value 0: default enterprise project.
limit	Yes	Integer	Definition Number of records displayed on each page. Constraints N/A Range Value range: 10 to 200 Default Value 10
offset	Yes	Integer	Definition Offset, which specifies the start position of the record to be returned. Constraints N/A Range The value range is 0 to 2,000,000. Default Value N/A
vul_id	Yes	String	Definition Vulnerability Patch No. Constraints N/A Range The value contains 1 to 256 characters. Default Value N/A
cve_id	No	String	Definition Vulnerability ID Constraints N/A Range The value can contain 1 to 32 characters. Default Value N/A
handle_status	No	String	Definition Vulnerability handling status. Constraints N/A Range unhandled handled Default Value N/A

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token, which contains user identity and permissions. The token can be used for identity authentication when an API is called. For details about how to obtain the token, see Obtaining a User Token. Constraints N/A Range The value can contain 1 to 32,768 characters. Default Value N/A

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
total_num	Integer	Definition Total number of records. Range The value range is 0 to 2,147,483,647.
data_list	Array of WebCmsVulDetailInfo objects	Definition Web-CMS vulnerability CVE list. Range The value range is 0 to 10,000.

**Table 5** WebCmsVulDetailInfo
Parameter	Type	Description
vul_id	String	Definition Vulnerability Patch No. Range The value contains 0 to 256 characters.
app	String	Definition Software name. Range The value can contain 0 to 32 characters.
name_zh	String	Definition Chinese name Range The value can contain 0 to 128 characters.
name_en	String	Definition English name Range The value can contain 0 to 128 characters.
public_time	Long	Definition Disclosure time. Range Minimum value: 0; maximum value: 2^63-1
vulLabel_zh	String	Definition Vulnerability label name (Chinese) Range You can enter 0 to 64 characters.
vulLabel_en	String	Definition Vulnerability label name (English) Range You can enter 0 to 64 characters.
repair_necessity	Integer	Definition Whether fixing is required. Range 1: high 2: medium 3: low
severity_level	String	Definition Whether fixing is required. Range Low Medium High Critical
description_zh	String	Definition CVE Vulnerability Description (Chinese) Range The value contains 0 to 1,024 characters.
description_en	String	Definition CVE vulnerability description in English Range The value contains 0 to 1,024 characters.
solution_zh	String	Definition CVE Vulnerability Fixing Suggestion (Chinese) Range The value contains 0 to 1,024 characters.
solution_en	String	Definition CVE Vulnerability Fixing Suggestion (En) Range The value contains 0 to 1,024 characters.
cve_id	String	Definition Vulnerability ID Range The value can contain 0 to 255 characters.
cve_score	Float	Definition CVE score Range Minimum value:0; maximum value: 10
cnvd_id	String	Definition CNVD ID Range The value can contain 0 to 32 characters.
cnnvd_id	String	Definition CNNVD ID Range The value can contain 0 to 32 characters.
bugtraq_id	String	Definition Bugtraq ID Range The value can contain 0 to 32 characters.
suffix_path	String	Definition Suffix Path Range The value can contain 0 to 128 characters.
md5	String	Definition md5 Range The value can contain 0 to 32 characters.
create_time	Long	Definition Creation time. Range The value range is 0 to 9,223,372,036,854,775,807.
update_time	Long	Definition Update time. Range The value range is 0 to 9,223,372,036,854,775,807.
tags_zh	String	Definition Vulnerability label name (Chinese) Range You can enter 0 to 64 characters.
tags_en	String	Definition Vulnerability label name (English) Range You can enter 0 to 64 characters.
patch_url	String	Definition Patch address. Range The value can contain 0 to 512 characters.
hosts_num	VulnerabilityHostNumberInfo object	Definition Number of affected servers.
cve_level	String	Definition CVE severity. Range Low Medium High
cvss	Float	Definition Vulnerability score. Range Minimum value:0; maximum value: 10
cvss_version	String	Definition CVS score version. Range The value can contain 0 to 32 characters.
description	String	Definition Vulnerability description. Range The value contains 0 to 1,024 characters.
cve_name	String	Definition CVE vulnerability name. Range The value can contain 0 to 512 characters.
cvss_vector	String	Definition Attack vector. Range The value can contain 0 to 255 characters.
cve_solution	String	Definition CVE fixing suggestion. Range The value can contain 0 to 4,096 characters.
cve_affect	String	Definition CVE vulnerability severity. Range The value can contain 0 to 128 characters.
cve_affect_description	String	Definition Description of the CVE vulnerability severity. Range The value can contain 0 to 4,096 characters.
cve_type	String	Definition CVE vulnerability type. Range The value can contain 0 to 128 characters.
cve_type_description	String	Definition Description of a CVE vulnerability type. Range The value can contain 0 to 4,096 characters.

**Table 6** VulnerabilityHostNumberInfo
Parameter	Type	Description
important	Integer	Definition Number of important servers. Range The value range is 0 to 10,000.
common	Integer	Definition Number of common servers. Range The value range is 0 to 10,000.
test	Integer	Definition Number of test servers. Range The value range is 0 to 10,000.

Example Requests

Query details about the Web-CMS vulnerability HCVD-WEBCMS-2025-111111 of the project whose ID is 2b31ed520xxxxxxebedb6e57xxxxxxxx.

GET https://{endpoint}/v5/2b31ed520xxxxxxebedb6e57xxxxxxxx/vulnerability/cms-detail?offset=0&limit=10&vul_id=HCVD-WEBCMS-2025-111111&handle_status=unhandled&enterprise_project_id=all_granted_eps

Example Responses

Status code: 200

Request succeeded.

{
  "total_num" : 1,
  "data_list" : [ {
    "cvss" : 7.8,
    "description" : "Pear Archive_Tar is a PHP-based software developed by the PHP Extension and Application Repository (PEAR) team. It can create and extract tar packages. \\nArchive_Tar 1.4.10 and earlier versions have a security vulnerability. This vulnerability allows deserialization attacks because phar: is blocked but phar: is not.",
    "vul_id" : "HCVD-WEBCMS-2025-111111",
    "app" : "drupal",
    "name_zh" : "Untrusted data deserialization vulnerability in Drupal",
    "name_en" : "Deserialization of Untrusted Data vulnerability in drupal",
    "repair_necessity" : 2,
    "severity_level" : "Medium",
    "description_zh" : "Pear Archive_Tar is a PHP-based software developed by the PHP Extension and Application Repository (PEAR) team. It can create and extract tar packages. A security vulnerability exists in Archive_Tar 1.4.10 and earlier versions. This vulnerability allows deserialization attacks because phar: is blocked but PHAR: is not blocked.",
    "description_en" : "Archive_Tar through 1.4.10 allows an unserialization attack because phar, is blocked but PHAR, is not blocked.",
    "solution_zh" : "Install the latest version. If Drupal 9.0 is used, upgrade it to 9.0.9 or later. If Drupal 8.9 is used, upgrade it to 8.9.10 or later. If Drupal 8.8 is used, upgrade it to 8.8.12 or later. If Drupal 7 is used, upgrade it to 7.75 or later. Download link: https://www.drupal.org/project/drupal/releases",
    "solution_en" : "Install the latest version, If you are using Drupal 9.0, update to Drupal 9.0.9 If you are using Drupal 8.9, update to Drupa 8.9.10 If you are using Drupal 8.8 or earlier, update to Drupal 8.8.12 If you are using Drupal 7, update to Drupal 7.75 Downloa link, https://www.drupal.org/project/drupal/releases",
    "cve_id" : "CVE-2020-28948",
    "cve_score" : 6.8,
    "cnvd_id" : "",
    "cnnvd_id" : "CNNVD-202011-1691",
    "suffix_path" : "/abc/abc.txt",
    "md5" : "d41d8cd98f00b204e9800998ecf8427e",
    "create_time" : 1648437102326,
    "update_time" : 1648437102326,
    "tags_zh" : "Exploited in the wild, EXP disclosed, and POC disclosed",
    "tags_en" : "Exploited In The Wild,Exploit Disclosed,POC Disclosed",
    "hosts_num" : {
      "important" : 0,
      "common" : 1,
      "test" : 0
    },
    "cve_level" : "Medium",
    "cvss_version" : 3.1,
    "cve_name" : "Php Archive Tar unauthorized deserialization vulnerability.",
    "cvss_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "cve_solution" : "Solution:\\nA patch has been released to fix this security vulnerability. Click the link [https://github.com/pear/Archive_Tar/issues/33] to download and install it. This patch aims to solve specific security problems and ensure system security and stability. Before the installation, back up all key data and perform operations according to the official guide. After the installation, perform a comprehensive test to verify that the vulnerability has been completely fixed and ensure that other functions of the system are running properly. \\n\\nTemporary solution:\\n\\nConfigure Drupal to forbid users from upload compressed packages in .tar, .tar.gz, .bz2, and .tlz formats. You are advised to upgrade the Drupal to the latest version. For details, see the formal protection solution. \\n",
    "cve_affect" : "GetShell",
    "cve_affect_description" : "GetShell means that attackers can upload executable Trojan files to completely control the server system.",
    "cve_type" : "Deserialization",
    "cve_type_description" : "The program deserializes untrusted data without fully checking whether the deserialized data trusted and secure, resulting in unexpected results."
  } ]
}

Status Codes

Status Code	Description
200	Request succeeded.

Error Codes

See Error Codes.

Parent Topic: Vulnerability Management

Previous topic: Performing a Rollback Using a Backup

Next topic: Querying Container Application Information Affected by a Vulnerability

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot