Simple CMS
by Simple CMS
CVEs (146)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-8058 | Med | 0.31 | 4.8 | 0.01 | Mar 12, 2018 | CMS Made Simple (CMSMS) 2.2.6 has XSS in admin/moduleinterface.php via the pagedata parameter. | ||
| CVE-2018-7893 | Med | 0.31 | 4.8 | 0.01 | Mar 12, 2018 | CMS Made Simple (CMSMS) 2.2.6 has stored XSS in admin/moduleinterface.php via the metadata parameter. | ||
| CVE-2018-5965 | Med | 0.31 | 4.8 | 0.01 | Jan 25, 2018 | CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter. | ||
| CVE-2018-5964 | Med | 0.31 | 4.8 | 0.01 | Jan 25, 2018 | CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter. | ||
| CVE-2018-5963 | Med | 0.31 | 4.8 | 0.01 | Jan 25, 2018 | CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter. | ||
| CVE-2018-10521 | Low | 0.18 | 2.7 | 0.01 | Apr 27, 2018 | In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in the admin dashboard contains an arbitrary file movement vulnerability that can cause DoS, exploitable by an admin user, because config.php can be moved into an incorrect directory. | ||
| CVE-2026-4225 | Low | 0.16 | 2.4 | 0.00 | Mar 16, 2026 | A security flaw has been discovered in CMS Made Simple up to 2.2.21. Impacted is an unknown function of the file admin/listusers.php of the component User Management Module. Performing a manipulation of the argument Message results in cross site scripting. The attack is possible… | ||
| CVE-2019-9053 | 0.10 | — | 0.56 | Mar 26, 2019 | An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter. | |||
| CVE-2023-36969 | 0.08 | — | 0.45 | Jul 6, 2023 | CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function. | |||
| CVE-2019-9692 | 0.08 | — | 0.47 | Mar 11, 2019 | class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). | |||
| CVE-2019-9055 | 0.06 | — | 0.13 | Mar 26, 2019 | An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the… | |||
| CVE-2008-5642 | 0.04 | — | 0.09 | Dec 17, 2008 | Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie. | |||
| CVE-2005-2846 | 0.04 | — | 0.07 | Sep 8, 2005 | PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter. | |||
| CVE-2021-28935 | 0.03 | — | 0.02 | Mar 30, 2021 | CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field. | |||
| CVE-2014-0334 | 0.03 | — | 0.02 | Mar 2, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url… | |||
| CVE-2010-3884 | 0.03 | — | 0.01 | Oct 8, 2010 | Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are… | |||
| CVE-2010-3742 | 0.03 | — | 0.02 | Oct 5, 2010 | Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) meta or (2) phpincdir parameter, a different issue than CVE-2010-3307. | |||
| CVE-2010-3307 | 0.03 | — | 0.02 | Oct 5, 2010 | Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) body, (2) footer, (3) header, (4) menu_left, or (5) menu_right parameter. | |||
| CVE-2009-2792 | 0.03 | — | 0.02 | Aug 17, 2009 | Directory traversal vulnerability in plugings/pagecontent.php in Really Simple CMS (RSCMS) 0.3a allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PT parameter. | |||
| CVE-2008-5058 | 0.03 | — | 0.02 | Nov 13, 2008 | SQL injection vulnerability in siteadmin/loginsucess.php in Pre Simple CMS allows remote attackers to execute arbitrary SQL commands via the user parameter, as reachable from siteadmin/adminlogin.php. NOTE: some of these details are obtained from third party information. |
- risk 0.31cvss 4.8epss 0.01
CMS Made Simple (CMSMS) 2.2.6 has XSS in admin/moduleinterface.php via the pagedata parameter.
- risk 0.31cvss 4.8epss 0.01
CMS Made Simple (CMSMS) 2.2.6 has stored XSS in admin/moduleinterface.php via the metadata parameter.
- risk 0.31cvss 4.8epss 0.01
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter.
- risk 0.31cvss 4.8epss 0.01
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter.
- risk 0.31cvss 4.8epss 0.01
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter.
- risk 0.18cvss 2.7epss 0.01
In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in the admin dashboard contains an arbitrary file movement vulnerability that can cause DoS, exploitable by an admin user, because config.php can be moved into an incorrect directory.
- risk 0.16cvss 2.4epss 0.00
A security flaw has been discovered in CMS Made Simple up to 2.2.21. Impacted is an unknown function of the file admin/listusers.php of the component User Management Module. Performing a manipulation of the argument Message results in cross site scripting. The attack is possible…
- CVE-2019-9053Mar 26, 2019risk 0.10cvss —epss 0.56
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
- CVE-2023-36969Jul 6, 2023risk 0.08cvss —epss 0.45
CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.
- CVE-2019-9692Mar 11, 2019risk 0.08cvss —epss 0.47
class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
- CVE-2019-9055Mar 26, 2019risk 0.06cvss —epss 0.13
An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the…
- CVE-2008-5642Dec 17, 2008risk 0.04cvss —epss 0.09
Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie.
- CVE-2005-2846Sep 8, 2005risk 0.04cvss —epss 0.07
PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter.
- CVE-2021-28935Mar 30, 2021risk 0.03cvss —epss 0.02
CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.
- CVE-2014-0334Mar 2, 2014risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url…
- CVE-2010-3884Oct 8, 2010risk 0.03cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are…
- CVE-2010-3742Oct 5, 2010risk 0.03cvss —epss 0.02
Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) meta or (2) phpincdir parameter, a different issue than CVE-2010-3307.
- CVE-2010-3307Oct 5, 2010risk 0.03cvss —epss 0.02
Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) body, (2) footer, (3) header, (4) menu_left, or (5) menu_right parameter.
- CVE-2009-2792Aug 17, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in plugings/pagecontent.php in Really Simple CMS (RSCMS) 0.3a allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PT parameter.
- CVE-2008-5058Nov 13, 2008risk 0.03cvss —epss 0.02
SQL injection vulnerability in siteadmin/loginsucess.php in Pre Simple CMS allows remote attackers to execute arbitrary SQL commands via the user parameter, as reachable from siteadmin/adminlogin.php. NOTE: some of these details are obtained from third party information.
Page 3 of 8