Cms Made Simple Security Vulnerabilities and Issues — Cms Made Simple CVE List

Lucene search

CmsmadesimpleCms Made Simple

19 matches found

CVE•added 2019/03/26 5:29 p.m.•224 views

CVE-2019-9053

An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.

8.1CVSS8.2AI score0.92225EPSS

CVE•added 2019/03/26 5:29 p.m.•221 views

CVE-2019-9055

An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, ...

8.8CVSS8.7AI score0.27589EPSS

CVE•added 2018/02/26 5:29 p.m.•65 views

CVE-2018-7448

Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.

8.5CVSS7.8AI score0.43202EPSS

CVE•added 2022/06/09 3:15 p.m.•58 views

CVE-2021-40961

CMS Made Simple

8.8CVSS9AI score0.01251EPSS

CVE•added 2019/03/26 5:29 p.m.•46 views

CVE-2019-9057

An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.

8.8CVSS8.7AI score0.00781EPSS

CVE•added 2018/04/27 6:29 p.m.•44 views

CVE-2018-10519

CMS Made Simple (CMSMS) 2.2.7 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because files in the tmp/ directory are accessible through HTTP requests. NOTE: this vulnerability exists ...

8.8CVSS8.8AI score0.00377EPSS

CVE•added 2019/03/26 5:29 p.m.•44 views

CVE-2019-9061

An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature.

8.8CVSS8.6AI score0.00781EPSS

CVE•added 2023/05/08 2:15 p.m.•40 views

CVE-2021-28999

SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php.

8.8CVSS9.3AI score0.00188EPSS

CVE•added 2018/04/13 5:29 a.m.•39 views

CVE-2018-10084

CMS Made Simple (CMSMS) through 2.2.6 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because an SHA-1 cryptographic protection mechanism can be bypassed.

8.8CVSS8.8AI score0.00171EPSS

CVE•added 2023/07/06 3:15 p.m.•39 views

CVE-2023-36969

CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.

8.8CVSS8.8AI score0.7152EPSS

CVE•added 2018/04/27 6:29 p.m.•38 views

CVE-2018-10520

In CMS Made Simple (CMSMS) through 2.2.7, the "module remove" operation in the admin dashboard contains an arbitrary file deletion vulnerability that can cause DoS, exploitable by an admin user, because the attacker can remove all lib/ files in all directories.

8.5CVSS6.5AI score0.00207EPSS

CVE•added 2018/04/27 6:29 p.m.•37 views

CVE-2018-10518

In CMS Made Simple (CMSMS) through 2.2.7, the "file delete" operation in the admin dashboard contains an arbitrary file deletion vulnerability that can cause DoS, exploitable by an admin user, because the attacker can remove all lib/ files in all directories.

8.5CVSS6.5AI score0.00207EPSS

CVE•added 2019/04/11 8:29 p.m.•37 views

CVE-2019-9056

An issue was discovered in CMS Made Simple 2.2.8. In the module FrontEndUsers (in the file class.FrontEndUsersManipulate.php or class.FrontEndUsersManipulator.php), it is possible to reach an unserialize call with an untrusted FEU cookie, and achieve authenticated object injection.

8.8CVSS8.7AI score0.01225EPSS

CVE•added 2019/03/11 6:29 p.m.•37 views

CVE-2019-9693

In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id), _AdjustNameSeq (paramete...

8.8CVSS9AI score0.00357EPSS

CVE•added 2017/01/16 6:59 a.m.•36 views

CVE-2016-7904

Cross-site request forgery (CSRF) vulnerability in CMS Made Simple before 2.1.6 allows remote attackers to hijack the authentication of administrators for requests that create accounts via an admin/adduser.php request.

8CVSS8.1AI score0.00094EPSS

CVE•added 2018/04/18 7:29 p.m.•34 views

CVE-2018-1000158

cmsmadesimple version 2.2.7 contains a Incorrect Access Control vulnerability in the function of send_recovery_email in the line "$url = $config['admin_url'] . '/login.php?recoverme=' . $code;" that can result in Administrator Password Reset Poisoning, specifically a reset URL pointing at an attack...

8.8CVSS8.6AI score0.00431EPSS

CVE•added 2018/04/11 7:29 p.m.•33 views

CVE-2018-10031

CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php.

8.8CVSS8.6AI score0.0018EPSS

CVE•added 2018/03/13 3:29 p.m.•31 views

CVE-2018-1000092

CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability ...

8.8CVSS8.8AI score0.00145EPSS

CVE•added 2018/04/11 7:29 p.m.•30 views

CVE-2018-10030

CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php.

8.8CVSS8.6AI score0.0018EPSS