66 matches found
CVE-2018-7893
CVE-2018-7893 : CMS Made Simple (CMSMS) 2.2.6 is affected by a stored XSS in admin/moduleinterface.php via the metadata parameter. The CVSS data (NVD) lists a base score of 3.5 (LOW) under CVSS2 and 4.8 (MEDIUM) under CVSS3, with network attack vector and low impact on confidentiality/availabilit...
CVE-2018-8058
CMS Made Simple (CMSMS) 2.2.6 contains a cross‑site scripting (XSS) vulnerability in admin/moduleinterface.php via the pagedata parameter. Affected component: CMSMS core web interface; vulnerability type: stored XSS. The CVE and related OpenVAS entry indicate multiple stored XSS vulnerabilities i...
Design/Logic Flaw
CMS Made Simple CMSMS 2.2.5 has XSS in admin/moduleinterface.php via the m1messages parameter...
CVE-2018-5965
CMS Made Simple (CMSMS) 2.2.5 exposes a Cross-Site Scripting (XSS) vulnerability in admin/moduleinterface.php via the m1_errors parameter. The root cause, as stated, is unvalidated input being reflected, enabling script injection in the context of the admin interface. Public references in the con...
CVE-2018-5964
CMS Made Simple (CMSMS) 2.2.5 is reported to have a cross-site scripting (XSS) vulnerability in admin/moduleinterface.php via the m1_messages parameter. All connected sources describe the same issue, with the vulnerability affecting the processing of that parameter in the admin interface. The NVD...
CVE-2017-17735
CMS Made Simple CMSMS before 2.2.5 does not properly cache login information in cookies...
CVE-2017-17735
CMS Made Simple (CMSMS) versions before 2.2.5 have a vulnerability where login information is not properly cached in cookies. Root cause: improper handling of login data in cookies. Impact is described by CVSS as high for confidentiality and integrity, but the connected documents do not spell out...
CVE-2017-17734
CMS Made Simple (CMSMS) before version 2.2.5 contains a vulnerability where login information is not properly cached in sessions. The issue affects CMSMS 2.2.4 and earlier. Impact is tied to session handling and could affect authentication state. The connected documents confirm the affected produ...
Design/Logic Flaw
In CMS Made Simple CMSMS 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/moduleinterface.php in which type=image is changed to type=file...
CVE-2017-11405
CMS Made Simple (CMSMS) 2.2.2 is affected by CVE-2017-11405. Remote authenticated administrators can abuse a sequence of actions (CMSContentManager to admin/moduleinterface.php, then a FilePicker action that changes type=image to type=file) to upload a PHP file. The exact vulnerability chain enab...
CVE-2017-11404
CMS Made Simple (CMSMS) 2.2.2 is affected by a vulnerability where remote authenticated administrators can upload a .php file through a FileManager action to admin/moduleinterface.php. The issue is documented across multiple feeds (NVD and others) with an attack surface requiring authentication, ...
CVE-2017-8912
CVE-2017-8912 (CMS Made Simple 2.1.6) : A remote code execution vulnerability exists in admin/editusertag.php via the code parameter, enabling arbitrary PHP execution by remote authenticated admins. Root cause is tied to CreateTagFunction/CallUserTag logic. Affected software is CMS Made Simple 2....
CVE-2017-7255
XSS exists in the CMS Made Simple CMSMS 2.1.6 "Content--News--Add Article" feature via the m1title parameter. Someone must login to conduct the attack...
Cross site scripting
XSS exists in the CMS Made Simple CMSMS 2.1.6 "Content--News--Add Article" feature via the m1title parameter. Someone must login to conduct the attack...
CVE-2017-7256
CMS Made Simple (CMSMS) 2.1.6 contains a cross-site scripting (XSS) vulnerability in the Content→News→Add Article flow via the m1_summary parameter. The attack requires an authenticated user (login) to exploit the vulnerability. Affected component is the m1_summary parameter handling within the N...
CVE-2017-7255
CVE-2017-7255 describes a cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2.1.6, triggered in the Content→News→Add Article workflow via the m1_title parameter. Affected software is CMSMS; the issue is a reflected/stored XSS caused by unsanitized input in the m1_title field, wi...
CVE-2017-7257
CVE-2017-7257 describes a cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2.1.6, specifically in the Content→News→Add Article feature via the m1_content parameter. The description notes that an attacker must be logged in to perform the attack, and the vulnerability affects the...
CVE-2017-6556
CMS Made Simple (CMSMS) 2.1.6 is affected by a cross-site scripting (XSS) vulnerability that allows remote authenticated users to inject arbitrary script/HTML via the adminpage > sitesetting > General Settings > globalmetadata field. The issue stems from inadequate input validation in th...
CVE-2014-2245
The CVE-2014-2245 entry concerns a SQL injection in the News module of CMS Made Simple (CMSMS). The vulnerability affects CMSMS prior to version 1.11.10 and can be triggered by remote authenticated users who hold the Modify News permission, via the sortby parameter to admin/moduleinterface.php. T...
CVE-2013-3929
CMS Made Simple (CMSMS) 1.11.9 includes an XSS vulnerability in admin/editevent.php where the handler parameter can be exploited by remote authenticated users with the true 【Modify Events】 permission to inject arbitrary web script or HTML. The connected sources confirm the affected file and condi...