Lucene search

K
CmsmadesimpleCms Made Simple

154 matches found

CVE
CVE
added 2019/03/26 5:29 p.m.224 views

CVE-2019-9053

An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.

8.1CVSS8.2AI score0.92225EPSS
CVE
CVE
added 2019/03/26 5:29 p.m.221 views

CVE-2019-9055

An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, ...

8.8CVSS8.7AI score0.27589EPSS
CVE
CVE
added 2022/02/28 11:15 p.m.109 views

CVE-2022-23906

CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.

7.2CVSS7.1AI score0.06427EPSS
CVE
CVE
added 2023/09/25 4:15 p.m.98 views

CVE-2023-43339

Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components.

6.1CVSS5.8AI score0.00176EPSS
CVE
CVE
added 2020/03/20 4:15 a.m.92 views

CVE-2020-10681

The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php.

5.4CVSS5.6AI score0.00415EPSS
CVE
CVE
added 2023/09/28 2:15 p.m.92 views

CVE-2023-43872

A File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS).

5.4CVSS5.8AI score0.00597EPSS
CVE
CVE
added 2021/03/30 12:16 p.m.90 views

CVE-2021-28935

CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.

5.4CVSS5.1AI score0.0023EPSS
CVE
CVE
added 2019/10/06 6:15 p.m.89 views

CVE-2019-17226

CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field.

4.8CVSS4.8AI score0.00288EPSS
CVE
CVE
added 2020/05/28 7:15 p.m.88 views

CVE-2020-13660

CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.

4.8CVSS4.8AI score0.0031EPSS
CVE
CVE
added 2020/03/20 4:15 a.m.82 views

CVE-2020-10682

The Filemanager in CMS Made Simple 2.2.13 allows remote code execution via a .php.jpegd JPEG file, as demonstrated by m1_files[] to admin/moduleinterface.php. The file should be sent as application/octet-stream and contain PHP code (it need not be a valid JPEG file).

7.8CVSS7.9AI score0.01856EPSS
CVE
CVE
added 2024/03/05 2:15 p.m.77 views

CVE-2024-27623

CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). The vulnerability exists within the Design Manager, particularly when editing the Breadcrumbs.

5.9CVSS9.4AI score0.00034EPSS
CVE
CVE
added 2022/02/28 11:15 p.m.74 views

CVE-2022-23907

CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage.

6.1CVSS6.1AI score0.00489EPSS
CVE
CVE
added 2021/07/26 9:15 p.m.73 views

CVE-2020-23241

Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature.

4.8CVSS4.9AI score0.00507EPSS
CVE
CVE
added 2025/05/25 6:15 p.m.71 views

CVE-2025-5153

A vulnerability, which was classified as problematic, has been found in CMS Made Simple 2.2.21. This issue affects some unknown processing of the component Design Manager Module. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The ex...

5.1CVSS3.7AI score0.00028EPSS
CVE
CVE
added 2023/10/20 10:15 p.m.70 views

CVE-2023-43357

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component.

5.4CVSS6.1AI score0.00255EPSS
CVE
CVE
added 2024/03/12 4:15 p.m.69 views

CVE-2024-1527

Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell.

9.8CVSS9.6AI score0.00042EPSS
CVE
CVE
added 2010/05/12 4:5 p.m.67 views

CVE-2010-1482

Cross-site scripting (XSS) vulnerability in admin/editprefs.php in the backend in CMS Made Simple (CMSMS) before 1.7.1 might allow remote attackers to inject arbitrary web script or HTML via the date_format_string parameter.

4.3CVSS5.6AI score0.00285EPSS
CVE
CVE
added 2017/11/10 11:29 p.m.67 views

CVE-2017-16783

In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter.

9.8CVSS9.6AI score0.16935EPSS
CVE
CVE
added 2019/03/11 6:29 p.m.66 views

CVE-2019-9692

class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).

6.5CVSS6.6AI score0.57271EPSS
CVE
CVE
added 2018/02/26 5:29 p.m.65 views

CVE-2018-7448

Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.

8.5CVSS7.8AI score0.43202EPSS
CVE
CVE
added 2007/09/24 10:17 p.m.62 views

CVE-2007-5056

Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequences in the last_module parameter.

6.8CVSS7.8AI score0.70254EPSS
CVE
CVE
added 2019/11/26 11:15 p.m.61 views

CVE-2011-4310

The news module in CMSMS before 1.9.4.3 allows remote attackers to corrupt new articles.

7.5CVSS7.5AI score0.00233EPSS
CVE
CVE
added 2018/04/27 6:29 p.m.61 views

CVE-2018-10517

In CMS Made Simple (CMSMS) through 2.2.7, the "module import" operation in the admin dashboard contains a remote code execution vulnerability, exploitable by an admin user, because an XML Package can contain base64-encoded PHP code in a data element.

7.2CVSS7.5AI score0.18534EPSS
CVE
CVE
added 2023/10/20 10:15 p.m.61 views

CVE-2023-43356

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component.

5.4CVSS6.1AI score0.00255EPSS
CVE
CVE
added 2018/03/13 1:29 a.m.60 views

CVE-2018-1000094

CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. This attack appear to be exploitable via File upload -> copy to any extension.

7.2CVSS7.2AI score0.55987EPSS
CVE
CVE
added 2023/10/20 10:15 p.m.60 views

CVE-2023-43354

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component.

5.4CVSS6.1AI score0.00235EPSS
CVE
CVE
added 2008/01/04 11:46 a.m.59 views

CVE-2007-6656

SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.

7.5CVSS8.4AI score0.00874EPSS
CVE
CVE
added 2023/10/20 10:15 p.m.59 views

CVE-2023-43353

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component.

5.4CVSS6.1AI score0.00235EPSS
CVE
CVE
added 2023/10/20 10:15 p.m.59 views

CVE-2023-43355

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the password and password again parameters in the My Preferences - Add user component.

5.4CVSS6.2AI score0.00386EPSS
CVE
CVE
added 2024/03/12 4:15 p.m.59 views

CVE-2024-1529

Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payl...

7.4CVSS6.6AI score0.00059EPSS
CVE
CVE
added 2022/06/09 3:15 p.m.58 views

CVE-2021-40961

CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '.

8.8CVSS9AI score0.01251EPSS
CVE
CVE
added 2024/03/12 4:15 p.m.58 views

CVE-2024-1528

CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to ...

7.4CVSS6.6AI score0.00059EPSS
CVE
CVE
added 2024/03/05 2:15 p.m.58 views

CVE-2024-27622

A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated users with administrati...

7.2CVSS9.7AI score0.02651EPSS
CVE
CVE
added 2016/05/26 2:59 p.m.56 views

CVE-2016-2784

CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a request.

4.7CVSS4.5AI score0.06088EPSS
CVE
CVE
added 2023/10/25 6:17 p.m.56 views

CVE-2023-43360

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.

5.4CVSS6.1AI score0.00386EPSS
CVE
CVE
added 2021/07/26 9:15 p.m.55 views

CVE-2020-23240

Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.

4.8CVSS5.1AI score0.00507EPSS
CVE
CVE
added 2020/10/01 2:15 p.m.55 views

CVE-2020-24860

CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.

5.4CVSS5.1AI score0.00634EPSS
CVE
CVE
added 2017/05/12 7:29 a.m.54 views

CVE-2017-8912

CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is "a feature, not a bug.

7.2CVSS7.1AI score0.03714EPSS
CVE
CVE
added 2021/07/02 6:15 p.m.54 views

CVE-2020-36414

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature.

5.4CVSS5.2AI score0.00322EPSS
CVE
CVE
added 2014/03/02 5:55 p.m.53 views

CVE-2014-0334

Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url parameter to admin/addbookm...

3.5CVSS5.3AI score0.00583EPSS
CVE
CVE
added 2019/06/05 6:29 p.m.51 views

CVE-2019-11226

CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.

5.4CVSS5.2AI score0.00289EPSS
CVE
CVE
added 2021/07/02 6:15 p.m.51 views

CVE-2020-36408

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Shortcut" parameter under the "Manage Shortcuts" module.

5.4CVSS5.2AI score0.00305EPSS
CVE
CVE
added 2024/03/05 2:15 p.m.51 views

CVE-2024-27625

CMS Made Simple Version 2.2.19 is vulnerable to Cross Site Scripting (XSS). This vulnerability resides in the File Manager module of the admin panel. Specifically, the issue arises due to inadequate sanitization of user input in the "New directory" field.

4.8CVSS9AI score0.00057EPSS
CVE
CVE
added 2018/01/02 5:29 p.m.50 views

CVE-2017-1000454

CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template Injection in some core components, resulting in local file read before 2.2, and local file inclusion since 2.2.1

7.8CVSS7.5AI score0.00176EPSS
CVE
CVE
added 2019/04/25 3:29 a.m.49 views

CVE-2019-11513

The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action.

4.8CVSS4.9AI score0.00288EPSS
CVE
CVE
added 2021/09/17 4:15 p.m.49 views

CVE-2019-9060

An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file conten...

7.5CVSS7.7AI score0.00415EPSS
CVE
CVE
added 2021/07/02 6:15 p.m.49 views

CVE-2020-36412

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Search Text" field under the "Admin Search" module.

5.4CVSS5.2AI score0.00275EPSS
CVE
CVE
added 2021/07/02 6:15 p.m.49 views

CVE-2020-36415

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module.

5.4CVSS5.2AI score0.00275EPSS
CVE
CVE
added 2008/12/17 5:30 p.m.48 views

CVE-2008-5642

Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie.

5CVSS6.5AI score0.06404EPSS
CVE
CVE
added 2018/04/27 6:29 p.m.48 views

CVE-2018-10522

In CMS Made Simple (CMSMS) through 2.2.7, the "file view" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by ordinary users, because the product exposes unrestricted access to the PHP file_get_contents function.

4.9CVSS5AI score0.00285EPSS
Total number of security vulnerabilities154