154 matches found
CVE-2019-9053
CMS Made Simple 2.2.8 is affected by CVE-2019-9053 via the News module, allowing unauthenticated time-based blind SQL injection through the m1_idlist parameter. Public writeups and exploits in Connected documents indicate this vulnerability is exploitable to extract database information, and fixe...
CVE-2019-9055
CMS Made Simple 2.2.8 contains a vulnerability in the DesignManager module (action.admin_bulk_css.php and action.admin_bulk_template.php) where an unserialize call on m1_allparms can be triggered by an unprivileged user with Designer permission to achieve object injection, enabling authenticated ...
CVE-2022-23906
CMS Made Simple 2.2.15 is reported to have a Remote Command Execution (RCE) vulnerability in the avatar upload function, exploitable via a crafted image file. The issue is documented across multiple sources (NVD, Red Hat, CVE lists) with CVSS vectors indicating high impact (C/H/I/H/A/H; CVSS3.1: ...
CVE-2023-43339
CMS Made Simple 2.2.18 is affected by a Cross-Site Scripting (XSS) vulnerability that allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, Database User, or Database Port components. The issue is described across multiple sources (NVD, Red Hat, ...
CVE-2023-43872
CMS Made Simple 2.2.18 is affected by a file-upload vulnerability that lets a local attacker upload a PDF containing hidden XSS. Root cause: lack of validation of uploaded files. Impact indicators in the source describe cross-site scripting with low privileges and user interaction required, thoug...
CVE-2020-10681
Summary: CVE-2020-10681 affects CMS Made Simple 2.2.13, specifically the Filemanager component, which is vulnerable to stored XSS via a .pxd file, demonstrated via m1_files[] to admin/moduleinterface.php. What’s affected: CMS Made Simple Filemanager in version 2.2.13. Root cause / vector (as stat...
CVE-2021-28935
CMS Made Simple (CMSMS) 2.2.15 is affected by an authenticated cross‑site scripting (XSS) vulnerability in /admin/addbookmark.php via Site Admin > My Preferences > Title field. The issue allows an authenticated user to inject scripts, with CVSS:3.1 base score 5.4 (MEDIUM) and CVSS2 base sco...
CVE-2019-17226
Summary: CVE-2019-17226 affects CMS Made Simple (CMSMS) 2.2.11, enabling cross-site scripting via the Site Admin > Module Manager > Search Term field. The vulnerability is evidenced in multiple sources (NVD entry mirrors the description). Some open-source scanner data (OpenVAS) indicates a ...
CVE-2020-13660
CVE-2020-13660 concerns CMS Made Simple up to version 2.2.14, where an XSS vulnerability exists in the File Picker profile name. The connected sources consistently describe a cross-site scripting issue stemming from insufficient input/validation handling in the web application, enabling crafted p...
CVE-2020-10682
CMS Made Simple Filemanager in version 2.2.13 is vulnerable to remote code execution via a crafted .php.jpegd JPEG file. An attacker can deliver PHP code by uploading a file (sent as application/octet-stream) and triggering it through admin/moduleinterface.php (e.g., using m1_files[]) to execute ...
CVE-2024-27623
CMS Made Simple 2.2.19 is affected by CVE-2024-27623, a Server-Side Template Injection in the Design Manager component, specifically when editing Breadcrumbs. Red Hat’s entry confirms the vulnerability in CMSMS 2.2.19 and does not provide an official remediation in the cited materials. The availa...
CVE-2022-23907
CMS Made Simple v2.2.15 is affected by a reflected XSS via the m1_fmmessage parameter. The vulnerability is documented across multiple sources (e.g., CVE-2022-23907) and is described as a reflected XSS that could cause client-side JavaScript execution. The linked Red Hat/CVE info corroborates the...
CVE-2023-36969
CMS Made Simple v2.2.17 (and affected
CVE-2020-23241
CMS Made Simple 2.2.14 is affected by a Cross-Site Scripting (XSS) vulnerability in the “Extra” via the News > Article feature. The issue is documented across multiple sources, indicating the vulnerable component is the News > Article path in the CMS Made Simple 2.2.14 implementation, with ...
CVE-2025-5153
CMS Made Simple 2.2.21 is affected by a cross-site scripting vulnerability in the Design Manager Module, caused by improper handling of the Description argument. Exploitation is possible remotely and details have been disclosed publicly. No patch/version fix is provided in the documents; several ...
CVE-2023-43357
CMS Made Simple 2.2.18 is affected by a Cross Site Scripting vulnerability in the Manage Shortcuts Title parameter. The flaw allows a local attacker to execute arbitrary code via a crafted script. Root cause: insufficient input validation in the Title field of the Manage Shortcuts component. Impa...
CVE-2010-1482
CVE-2010-1482 affects CMS Made Simple (CMSMS) prior to version 1.7.1. The vulnerability is a cross-site scripting (XSS) flaw in the backend’s admin/editprefs.php, exploitable via the date_format_string parameter. The issue arises from insufficient escaping of user-supplied input, enabling an atta...
CVE-2018-1000094
CVE-2018-1000094 affects CMS Made Simple 2.2.5. The vulnerability is a remote code execution via the File Manager, exploitable by an authenticated administrator who can upload a file and copy/rename it to a PHP extension, enabling execution of arbitrary code on the server (e.g., via a PHP shell)....
CVE-2024-1527
CMS Made Simple 2.2.14 has an Unrestricted File Upload vulnerability (CVE-2024-1527). An authenticated user can bypass upload protections and potentially upload a webshell to achieve remote command execution. Multiple sources (NVD entry) describe the impact as high to critical with high confident...
CVE-2017-16783
CMS Made Simple 2.1.6 is affected by CVE-2017-16783: a Server-Side Template Injection issue exploited via the cntnt01detailtemplate parameter. Public references (NVD and exploit databases) describe a high-severity vulnerability with authenticated-free, network-exposed exploitation and impact to c...
CVE-2018-7448
Summary: CVE-2018-7448 affects CMS Made Simple 2.1.6. During a fresh installation, an attacker can inject arbitrary PHP code via the “timezone” parameter in step 4, causing code to be written to the configuration file (config.php) and enabling OS command execution through a backdoor. These detail...
CVE-2019-9692
CMS Made Simple Showtime2 contains a vulnerability in class.showtime2_image.php where a watermark image file is not validated for a standard extension (GIF/JPG/JPEG/PNG). This enables an authenticated attacker with Showtime2 privileges to upload crafted files, potentially leading to remote comman...
CVE-2023-43356
CVE-2023-43356 concerns CMS Made Simple (CMSMS) v2.2.18 with a stored Cross Site Scripting (XSS) flaw in the Global Settings Menu component, via the Global Meatadata parameter. The attack vector is local to an authenticated user view where crafted input is injected, enabling arbitrary code execut...
CVE-2007-5056
CVE-2007-5056 is an eval injection in adodb-perf-module.inc.php of ADOdb Lite
CVE-2018-10517
CVE-2018-10517 concerns CMS Made Simple (CMSMS) up to version 2.2.7. The vulnerability lies in the admin dashboard’s “module import” operation, where an XML Package can include a data element with base64-encoded PHP code, enabling a remote code execution when exploited by an authenticated adminis...
CVE-2023-43354
CMS Made Simple 2.2.18 contains a Cross-Site Scripting vulnerability in the MicroTiny WYSIWYG editor’s Profiles parameter, allowing a local attacker to execute arbitrary code via a crafted script. The issue is documented across multiple sources (e.g., RH/CVE and NVD) with the same description. Th...
CVE-2011-4310
CVE-2011-4310 corresponds to a vulnerability in the News module of CMS Made Simple (CMSMS) prior to version 1.9.4.3. The issue allows remote attackers to corrupt newly written articles. Affected products: CMSMS, with the News module as the vulnerable component; vulnerable scope is versions earlie...
CVE-2017-8912
CVE-2017-8912 (CMS Made Simple 2.1.6) : A remote code execution vulnerability exists in admin/editusertag.php via the code parameter, enabling arbitrary PHP execution by remote authenticated admins. Root cause is tied to CreateTagFunction/CallUserTag logic. Affected software is CMS Made Simple 2....
CVE-2023-43353
CMS Made Simple 2.2.18 is affected by a Cross-Site Scripting vulnerability in the News menu component’s extra parameter that can lead to arbitrary code execution. The issue is documented across multiple sources with PoC availability and a low-to-moderate CVSS (NVD base 5.4; AV:N/AC:L/PR:L/UI:R/S:...
CVE-2021-40961
CVE-2021-40961 affects CMS Made Simple
CVE-2007-6656
The CVE-2007-6656 entry describes an SQL injection in CMS Made Simple's TinyMCE module, specifically in content_css.php, affecting CMS Made Simple 1.2.2 and earlier. The vulnerability allows remote attackers to execute arbitrary SQL commands via the templateid parameter. The provided sources conf...
CVE-2023-43355
CMS Made Simple 2.2.18 has a stored XSS flaw exposed via the My Preferences – Add user component that lets a local attacker craft a script through the password and password again parameters to execute arbitrary code. Public sources (e.g., Red Hat, CNNVD, OpenVAS writeups) confirm the vulnerabilit...
CVE-2024-1529
CMS Made Simple 2.2.14 is affected by a Cross-Site Scripting (XSS) vulnerability in the /admin/adduser.php endpoint due to insufficient encoding of user-controlled input across multiple parameters. The issue could allow a remote attacker to deliver a crafted JavaScript payload to an authenticated...
CVE-2016-2784
CMS Made Simple is vulnerable to a cache-poisoning/XSS issue when Smarty Cache is active. A remote attacker can craft the Host header to poison the web server cache and modify links, potentially enabling XSS. Affected are CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2. Exploitation has be...
CVE-2020-23240
CMS Made Simple 2.2.14 is vulnerable to Cross-Site Scripting via the Logic field in the Content Manager (XSS). The issue is documented across NVD/CVE records and mirrored by Red Hat and CNVD entries. The OpenVAS entry notes a WillNotFix remediation in its data; no patch/version fix is provided in...
CVE-2023-43360
CMS Made Simple 2.2.18 is affected by a Cross-Site Scripting vulnerability in the File Picker Menu’s Top Directory parameter. A local attacker can inject crafted scripts to gain arbitrary code execution within the CMS. Root cause: improper handling of user-supplied input in the Top Directory fiel...
CVE-2024-1528
CMS Made Simple 2.2.14 is reported to be vulnerable to Cross-Site Scripting through /admin/moduleinterface.php due to insufficient encoding of user-controlled input in multiple parameters. The issue is exploitable to deliver a crafted JavaScript payload to an authenticated user, with potential se...
CVE-2024-27622
CMS Made Simple v2.2.19/v2.2.21 contains a remote code execution (RCE) flaw in the User Defined Tags module. The vulnerability arises from inadequate sanitization of user-supplied input in the module’s Code section, allowing authenticated users with administrative privileges to inject and execute...
CVE-2020-24860
CVE-2020-24860 affects CMS Made Simple 2.2.14. An authenticated user with access to the Content Manager can edit content and inject a persistent XSS payload into affected text fields, potentially obtaining cookies from every authenticated visitor. The available connected documents confirm the vul...
CVE-2014-0334
CMS Made Simple (1.11.x) has multiple XSS vulnerabilities (CVE-2014-0334) exploitable via many admin parameters (admin/addgroup.php, admin/addhtmlblob.php, admin/addbookmark.php, admin/copystylesheet.php, admin/copytemplate.php, admin/editbookmark.php, admin/listtemplates.php, admin/listcss.php, ...
CVE-2020-36414
CMS Made Simple is affected by a stored XSS in version 2.2.14 via crafted payloads entered in the Add Article feature (URL slug or Extra fields). The vulnerability requires authentication and could allow executing arbitrary scripts/HTML in the victim’s browser. Publicly documented fixes point to ...
CVE-2020-36408
CMS Made Simple 2.2.14 is affected by a stored XSS via the Add Shortcut field in the Manage Shortcuts module. Exploitation requires authentication, enabling attackers to inject and execute arbitrary web scripts or HTML in the context of the affected site. Affected product/version: CMS Made Simple...
CVE-2017-1000454
CVE-2017-1000454 affects CMS Made Simple versions 2.1.6, 2.2, and 2.2.1. Affected component: Smarty Template Injection in some core components. Impact: local file read prior to 2.2 and local file inclusion since 2.2.1. Documentation from multiple sources confirms vulnerability details; explicit r...
CVE-2019-11226
CVE-2019-11226 : CMS Made Simple 2.2.10 contains a cross-site scripting (XSS) vulnerability reachable via the m1_name parameter in the Add Article workflow under Content → Content Manager → News. Several sources describe this as an XSS issue (some references note authenticated, persistent XSS beh...
CVE-2024-27625
CVE-2024-27625 affects CMS Made Simple version 2.2.19 and specifically targets the File Manager module in the admin panel. The root cause is inadequate sanitization of user input in the "New directory" field, enabling cross-site scripting (XSS). The vulnerability is documented across multiple sou...
CVE-2019-9060
CMS Made Simple 2.2.8 is affected by CVE-2019-9060 via the CGExtensions module (action.setdefaulttemplate.php) using m1_filename for unauthenticated path traversal and through action.showmessage.php with m1_prefname cg_errormsg and m1_resettodefault=1 to read arbitrary files. Impact: partial conf...
CVE-2020-36415
CMS Made Simple 2.2.14 is affected by a stored XSS in the Stylesheets module (Create a new Stylesheet field). Authenticated users can inject arbitrary web scripts through this parameter, potentially impacting data integrity and user sessions. No remediation details are provided in the supplied do...
CVE-2017-6072
CMS Made Simple Form Builder (CMSMS) for CMS Made Simple version 1.x is affected by CVE-2017-6072, with exploitation allowing information disclosure via defaultadmin prior to version 0.8.1.6. The root cause is an information-disclosure vulnerability in the Form Builder module that enables remote ...
CVE-2019-11513
CMS Made Simple’s File Manager (affected through version 2.2.10) is vulnerable to a Reflected XSS in the Rename action via the New name field. The connected sources consistently describe a reflected XSS condition in this component; no patch/version fix is specified in the provided documents. Expl...
CVE-2020-36412
CVE-2020-36412 affects CMS Made Simple 2.2.14. The vulnerability is a stored XSS in the Admin/Search module, exploitable by submitting a crafted payload into the Search Text field. The issue is reported as an authenticated vulnerability where an attacker with access to the CMS backend can execute...