21 matches found
CVE-2023-46040
GetSimpleCMS, version 3.4.0a, contains a Cross-Site Scripting vulnerability that allows a remote attacker to execute arbitrary code via a crafted payload to the components.php function. The issue is documented across multiple sources (CVE-2023-46040) and is categorized as CVSS 3.1: Medium (ATT&CK...
CVE-2023-6188
GetSimpleCMS 3.3.16/3.4.0a exposes a vulnerability in /admin/theme-edit.php allowing code injection. The issue can be triggered remotely; public exploit activity is noted. Mitigation per PT-2023-32557: restrict access to /admin/theme-edit.php or avoid using theme-edit.php until a patch is availab...
CVE-2020-21353
CVE-2020-21353 affects GetSimple CMS version 3.4.0a. A stored XSS exists in /admin/snippets.php via crafted payload in the Edit Snippets module, enabling execution of arbitrary web scripts/HTML if a user views the crafted content. No exploitation details or fixes are provided in the supplied docu...
CVE-2020-18658
CVE-2020-18658 is a cross-site scripting vulnerability in GetSimpleCMS, affecting versions ≤ 3.3.15. The XSS is triggered via the timezone parameter in settings.php, allowing an attacker to inject malicious script. Connected sources also reference that GetSimple CMS versions earlier than 3.3.16 a...
CVE-2020-18659
CVE-2020-18659 affects GetSimpleCMS up to version 3.3.15. A stored/ reflected cross-site scripting vulnerability exists in the admin setup page: /admin/setup.php accepts user-controlled values for sitename, username, and email, enabling XSS. Connected sources consistently describe GetSimpleCMS
CVE-2020-18660
GetSimpleCMS
CVE-2020-18657
GetSimpleCMS vulnerability CVE-2020-18657: XSS in admin/changedata.php via the redirect_url parameter and the headers_sent function affects GetSimpleCMS versions up to 3.3.15. Connected sources (NVD, RH OpenRedHat, CNVD, OSV, CVE CNVD/CNNVD entries) consistently describe a cross-site scripting fl...
CVE-2023-46042
GetSimpleCMS v3.4.0a is affected by a remote code execution vulnerability triggered by a crafted payload to phpinfo(). The issue is described across multiple sources (NVD, Red Hat, CNNVD, CVE listings, PT-Security, etc.) with no public details on the exact fix version in the provided documents. R...
CVE-2021-28976
CVE-2021-28976 affects GetSimpleCMS versions prior to 3.3.16, with a remote code execution vulnerability in admin/upload.php exploitable through PHAR file uploads. The connected sources confirm a phar-based attack chain leading to RCE (e.g., PoCs and exploits in Exploit-DB/PacketStorm) and indica...
CVE-2024-11125
GetSimpleCMS 3.3.16 is affected by a cross-site request forgery involving the /admin/profile.php endpoint. The issue’s root cause is related to processing in that file, enabling an attacker to perform CSRF remotely. Multiple sources (NVD, RH Red Hat, OSV, CVE records) corroborate the vulnerabilit...
CVE-2023-51246
CVE-2023-51246 concerns GetSimple CMS 3.3.16 where an XSS exists when a backend user adds articles via /admin/edit.php with Source Code Mode active. The root cause is inadequate filtering/escaping of user-supplied data during article creation, leading to arbitrary script execution. Affected produ...
CVE-2021-36601
CVE-2021-36601 affects GetSimpleCMS 3.3.16: an XSS vulnerability exists in the siteURL parameter of admin/settings.php, caused by inadequate filtering (described as Function TSL not filtering the check). Multiple sources (Red Hat, NVD/NVD-variant, OSV, OpenVAS, etc.) corroborate a cross-site scri...
CVE-2020-20389
CVE-2020-20389 is a reported cross-site scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a, located in admin/edit.php. The vulnerability is documented across multiple sources (NVD, CNVD, OSV, Red Hat, OpenVAS, CVE list) with the same description, indicating an XSS flaw in GetSimpleCMS. CVSS dat...
CVE-2020-18191
GetSimpleCMS-3.3.15 is affected by a directory traversal vulnerability. Remote attackers can delete arbitrary files via /GetSimpleCMS-3.3.15/admin/log.php. Root cause: unvalidated directory traversal in the admin log handling. Impact: potential unauthorized file deletion. Exploitation details and...
CVE-2020-20391
CVE-2020-20391 targets GetSimpleCMS 3.4.0a, with a Cross-Site Scripting vulnerability in admin/snippets.php triggered via Add Snippet and Save snippets. The connected entries confirm the affected product/version and vulnerability type (XSS) but do not provide concrete root-cause details beyond th...
CVE-2021-28977
GetSimpleCMS 3.3.16 is affected by a cross-site scripting vulnerability in admin/upload.php. The issue arises from injecting comments or file header data into content stored in xla, pages, and gzip files, enabling XSS. Multiple connected sources (including Red Hat, CNVD/CNNVD, OSV, CVE registry) ...
CVE-2013-10032
CVE-2013-10032 affects GetSimpleCMS 3.2.1 via upload.php, where authenticated users can upload arbitrary files without proper MIME/extension validation, allowing a disguised .pht containing PHP code to be placed in the web root and executed. Root cause: blacklist-based filtering instead of a whit...
CVE-2021-47778
CVE-2021-47778 affects GetSimple CMS My SMTP Contact Plugin 1.1.2. A PHP code injection vulnerability exists that allows an authenticated administrator to inject arbitrary PHP code via plugin configuration parameters, resulting in remote code execution on the server. The Red Hat and NVD/NVD-deriv...
CVE-2021-47870
CVE-2021-47870 affects GetSimple CMS with the plugin “My SMTP Contact Plugin” v1.1.2. The stored XSS arises because input is sanitized with htmlspecialchars() but can be bypassed by escaped hex bytes, enabling arbitrary client-side code execution in an administrator’s browser when visiting a craf...
CVE-2021-47830
GetSimple CMS My SMTP Contact Plugin 1.1.1 is affected by a CSRF vulnerability. An attacker can lure an authenticated administrator to a malicious page to modify SMTP configuration settings, potentially enabling unauthorized changes. The vulnerability is CSRF with no direct remote code execution ...
CVE-2021-47860
CVE-2021-47860 concerns GetSimple CMS Custom JS 0.1. The vulnerability is a cross-site request forgery that can enable unauthenticated attackers to inject arbitrary client-side code into administrator browsers, potentially triggering a reflected XSS payload to execute remote code on the hosting s...