Cms Made Simple Security Vulnerabilities and Issues — Page 2 of Cms Made Simple CVE List

Lucene search

CmsmadesimpleCms Made Simple

154 matches found

CVE•added 2017/02/21 7:59 a.m.•47 views

CVE-2017-6072

CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via defaultadmin.

5.3CVSS5.4AI score0.00244EPSS

CVE•added 2019/10/16 2:15 p.m.•47 views

CVE-2019-17630

CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen.

4.8CVSS4.8AI score0.00359EPSS

CVE•added 2022/04/13 11:15 p.m.•47 views

CVE-2021-43154

Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php.

6.1CVSS5.9AI score0.00228EPSS

CVE•added 2017/07/18 12:29 a.m.•46 views

CVE-2017-11405

In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/moduleinterface.php in which type=image is changed to type=file.

4.9CVSS4.8AI score0.00182EPSS

CVE•added 2017/02/21 7:59 a.m.•46 views

CVE-2017-6071

CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via exportxml.

5.3CVSS5.4AI score0.00312EPSS

CVE•added 2019/03/26 10:29 p.m.•46 views

CVE-2019-10106

CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section.

5.4CVSS5.2AI score0.00254EPSS

CVE•added 2019/03/26 5:29 p.m.•46 views

CVE-2019-9057

An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.

8.8CVSS8.7AI score0.00781EPSS

CVE•added 2021/07/02 6:15 p.m.•46 views

CVE-2020-36410

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Email address to receive notification of news submission" parameter under the "Options" module.

5.4CVSS5.2AI score0.00275EPSS

CVE•added 2023/10/26 10:15 p.m.•46 views

CVE-2023-43352

An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component.

7.8CVSS7.7AI score0.00664EPSS

CVE•added 2005/09/08 10:3 a.m.•45 views

CVE-2005-2846

PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter.

7.5CVSS7.7AI score0.02434EPSS

CVE•added 2007/01/29 5:28 p.m.•45 views

CVE-2007-0551

Multiple PHP remote file inclusion vulnerabilities in cmsimple/cms.php in CMSimple 2.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) pth[file][config] and (2) pth[file][image] parameters.

7.5CVSS7.7AI score0.00585EPSS

CVE•added 2010/10/08 9:0 p.m.•45 views

CVE-2010-2797

Directory traversal vulnerability in lib/translation.functions.php in CMS Made Simple before 1.8.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the default_cms_lang parameter to an admin script, as demonstrated by admin/addbookmark.php, a different vuln...

7.5CVSS7.1AI score0.06404EPSS

CVE•added 2018/03/12 3:29 a.m.•45 views

CVE-2018-8058

CMS Made Simple (CMSMS) 2.2.6 has XSS in admin/moduleinterface.php via the pagedata parameter.

4.8CVSS4.9AI score0.00235EPSS

CVE•added 2021/07/02 6:15 p.m.•45 views

CVE-2020-36409

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Category" parameter under the "Categories" module.

5.4CVSS5.2AI score0.00275EPSS

CVE•added 2021/07/02 6:15 p.m.•45 views

CVE-2020-36411

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Path for the {page_image} tag:" or "Path for thumbnail field:" parameters under the "Content Editing Settings" modul...

5.4CVSS5.3AI score0.00275EPSS

CVE•added 2021/07/02 6:15 p.m.•45 views

CVE-2020-36416

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module.

5.4CVSS5.2AI score0.00275EPSS

CVE•added 2017/11/10 11:29 p.m.•44 views

CVE-2017-16784

In CMS Made Simple 2.2.2, there is Reflected XSS via the cntnt01detailtemplate parameter.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2017/12/18 6:29 a.m.•44 views

CVE-2017-17735

CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies.

9.8CVSS9.2AI score0.00275EPSS

CVE•added 2018/04/27 6:29 p.m.•44 views

CVE-2018-10515

In CMS Made Simple (CMSMS) through 2.2.7, the "file unpack" operation in the admin dashboard contains a remote code execution vulnerability exploitable by an admin user because a .php file can be present in the extracted ZIP archive.

7.2CVSS7.4AI score0.02743EPSS

CVE•added 2018/04/27 6:29 p.m.•44 views

CVE-2018-10519

CMS Made Simple (CMSMS) 2.2.7 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because files in the tmp/ directory are accessible through HTTP requests. NOTE: this vulnerability exists ...

8.8CVSS8.8AI score0.00377EPSS

CVE•added 2019/03/26 5:29 p.m.•44 views

CVE-2019-9061

An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature.

8.8CVSS8.6AI score0.00781EPSS

CVE•added 2018/01/02 5:29 p.m.•43 views

CVE-2017-1000453

CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templating injection in some core modules, resulting in unauthenticated PHP code execution.

9.8CVSS9.8AI score0.00979EPSS

CVE•added 2017/12/18 6:29 a.m.•43 views

CVE-2017-17734

CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions.

9.8CVSS9.2AI score0.00275EPSS

CVE•added 2014/03/02 5:55 p.m.•42 views

CVE-2014-2092

Cross-site scripting (XSS) vulnerability in lib/filemanager/ImageManager/editorFrame.php in CMS Made Simple 1.11.10 allows remote attackers to inject arbitrary web script or HTML via the action parameter, a different issue than CVE-2014-0334. NOTE: the original disclosure also reported issues that ...

4.3CVSS5.7AI score0.00583EPSS

CVE•added 2017/07/18 12:29 a.m.•42 views

CVE-2017-11404

In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php.

4.9CVSS4.9AI score0.00182EPSS

CVE•added 2017/11/12 6:29 p.m.•42 views

CVE-2017-16798

In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .ph...

5.4CVSS5.2AI score0.0027EPSS

CVE•added 2017/03/24 3:59 p.m.•42 views

CVE-2017-7255

XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_title parameter. Someone must login to conduct the attack.

5.4CVSS5.4AI score0.00206EPSS

CVE•added 2017/03/24 3:59 p.m.•42 views

CVE-2017-7256

XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_summary parameter. Someone must login to conduct the attack.

5.4CVSS5.4AI score0.00206EPSS

CVE•added 2017/03/24 3:59 p.m.•42 views

CVE-2017-7257

XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_content parameter. Someone must login to conduct the attack.

5.4CVSS5.4AI score0.00206EPSS

CVE•added 2021/07/02 6:15 p.m.•42 views

CVE-2020-36413

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Exclude these IP addresses from the "Site Down" status" parameter under the "Maintenance Mode" module.

5.4CVSS5.2AI score0.00275EPSS

CVE•added 2017/02/21 7:59 a.m.•41 views

CVE-2017-6070

CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to execute PHP code via the cntnt01fbrp_forma_form_template parameter in admin_store_form.

9.8CVSS9.6AI score0.00799EPSS

CVE•added 2018/04/27 6:29 p.m.•41 views

CVE-2018-10516

In CMS Made Simple (CMSMS) through 2.2.7, the "file rename" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by an admin user, that can cause DoS by moving config.php to the upload/ directory.

6.5CVSS6.2AI score0.00428EPSS

CVE•added 2007/10/14 6:17 p.m.•40 views

CVE-2007-5444

CMS Made Simple 1.1.3.1 allows remote attackers to obtain the full path via a direct request for unspecified files.

5CVSS6.5AI score0.00283EPSS

CVE•added 2010/10/08 9:0 p.m.•40 views

CVE-2010-3884

Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are obtained solely from ...

6.8CVSS7.1AI score0.00079EPSS

CVE•added 2017/03/09 9:59 a.m.•40 views

CVE-2017-6555

Cross-site scripting (XSS) vulnerability in /admin/moduleinterface.php in CMS Made Simple 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the m1_description parameter (aka "Design Manager > Categories > Category Description").

5.4CVSS5AI score0.0015EPSS

CVE•added 2017/03/09 9:59 a.m.•40 views

CVE-2017-6556

Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the "adminpage > sitesetting > General Settings > globalmetadata" field.

5.4CVSS5AI score0.0015EPSS

CVE•added 2018/04/13 5:29 a.m.•40 views

CVE-2018-10082

CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task....

5.3CVSS5.1AI score0.00289EPSS

CVE•added 2018/04/27 6:29 p.m.•40 views

CVE-2018-10521

In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in the admin dashboard contains an arbitrary file movement vulnerability that can cause DoS, exploitable by an admin user, because config.php can be moved into an incorrect directory.

4CVSS4.3AI score0.00284EPSS

CVE•added 2018/04/27 6:29 p.m.•40 views

CVE-2018-10523

CMS Made Simple (CMSMS) through 2.2.7 contains a physical path leakage Vulnerability via /modules/DesignManager/action.ajax_get_templates.php, /modules/DesignManager/action.ajax_get_stylesheets.php, /modules/FileManager/dunzip.php, or /modules/FileManager/untgz.php.

5.3CVSS5.1AI score0.00477EPSS

CVE•added 2018/01/25 4:29 p.m.•40 views

CVE-2018-5963

CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter.

4.8CVSS4.9AI score0.00472EPSS

CVE•added 2019/03/24 10:29 p.m.•40 views

CVE-2019-10017

CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.

5.4CVSS5.2AI score0.00254EPSS

CVE•added 2020/12/17 11:15 p.m.•40 views

CVE-2020-20138

Cross Site Scripting (XSS) vulnerability in the Showtime2 Slideshow module in CMS Made Simple (CMSMS) 2.2.4.

6.1CVSS6AI score0.00328EPSS

CVE•added 2023/05/08 2:15 p.m.•40 views

CVE-2021-28999

SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php.

8.8CVSS9.3AI score0.00188EPSS

CVE•added 2011/06/08 10:36 a.m.•39 views

CVE-2010-4663

Unspecified vulnerability in the News module in CMS Made Simple (CMSMS) before 1.9.1 has unknown impact and attack vectors.

10CVSS6.7AI score0.00414EPSS

CVE•added 2017/06/18 9:29 p.m.•39 views

CVE-2017-9668

In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user group, there is no XSS filtering, resulting in storage-type XSS generation, via the description parameter in an addgroup action.

6.1CVSS5.9AI score0.00223EPSS

CVE•added 2018/04/11 7:29 p.m.•39 views

CVE-2018-10032

CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter.

4.8CVSS4.9AI score0.00215EPSS

CVE•added 2018/04/13 5:29 a.m.•39 views

CVE-2018-10084

CMS Made Simple (CMSMS) through 2.2.6 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because an SHA-1 cryptographic protection mechanism can be bypassed.

8.8CVSS8.8AI score0.00171EPSS

CVE•added 2018/04/13 5:29 a.m.•39 views

CVE-2018-10085

CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in the _get_data function of \lib\classes\internal\class.LoginOperations.php. By sending a crafted cookie, a remote attacker can upload and execute code, or delete files.

9.8CVSS9.6AI score0.03022EPSS

CVE•added 2018/01/25 4:29 p.m.•39 views

CVE-2018-5965

CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter.

4.8CVSS4.9AI score0.00472EPSS

CVE•added 2023/07/06 3:15 p.m.•39 views

CVE-2023-36969

CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.

8.8CVSS8.8AI score0.65907EPSS

Total number of security vulnerabilities154