Cms Made Simple Security Vulnerabilities and Issues — Cms Made Simple CVE List

Lucene search

CmsmadesimpleCms Made Simple

12 matches found

CVE•added 2019/03/26 5:29 p.m.•226 views

CVE-2019-9053

An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.

8.1CVSS8.2AI score0.92225EPSS

CVE•added 2019/03/26 5:29 p.m.•221 views

CVE-2019-9055

An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, ...

8.8CVSS8.7AI score0.27589EPSS

CVE•added 2019/03/11 6:29 p.m.•66 views

CVE-2019-9692

class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).

6.5CVSS6.6AI score0.60511EPSS

CVE•added 2019/03/26 10:29 p.m.•46 views

CVE-2019-10106

CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section.

5.4CVSS5.2AI score0.00254EPSS

CVE•added 2019/03/26 5:29 p.m.•46 views

CVE-2019-9057

An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.

8.8CVSS8.7AI score0.00781EPSS

CVE•added 2019/03/26 5:29 p.m.•44 views

CVE-2019-9061

An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature.

8.8CVSS8.6AI score0.00781EPSS

CVE•added 2019/03/24 10:29 p.m.•40 views

CVE-2019-10017

CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.

5.4CVSS5.2AI score0.00254EPSS

CVE•added 2019/03/26 10:29 p.m.•37 views

CVE-2019-10107

CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section.

5.4CVSS5.2AI score0.00254EPSS

CVE•added 2019/03/11 6:29 p.m.•37 views

CVE-2019-9693

In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id), _AdjustNameSeq (paramete...

8.8CVSS9AI score0.00357EPSS

CVE•added 2019/03/26 5:29 p.m.•36 views

CVE-2019-9059

An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password" feature.

7.2CVSS7.6AI score0.04139EPSS

CVE•added 2019/03/26 5:29 p.m.•34 views

CVE-2019-9058

An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection.

7.2CVSS7.3AI score0.01005EPSS

CVE•added 2019/03/26 10:29 p.m.•33 views

CVE-2019-10105

CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.

5.4CVSS5.4AI score0.00254EPSS