VYPR

Simple CMS

by Simple CMS

CVEs (146)

  • CVE-2019-10105Mar 26, 2019
    risk 0.00cvss epss 0.01

    CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.

  • CVE-2019-9061Mar 26, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature.

  • CVE-2019-9058Mar 26, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection.

  • CVE-2019-9057Mar 26, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.

  • CVE-2019-10017Mar 24, 2019
    risk 0.00cvss epss 0.01

    CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.

  • CVE-2019-9693Mar 11, 2019
    risk 0.00cvss epss 0.01

    In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id),…

  • CVE-2018-20464Dec 25, 2018
    risk 0.00cvss epss 0.01

    There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user's mailbox with the wrong format. The response contains the user's previously entered email address.

  • CVE-2018-19597Dec 19, 2018
    risk 0.00cvss epss 0.01

    CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.

  • CVE-2018-18270Oct 12, 2018
    risk 0.00cvss epss 0.01

    XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.

  • CVE-2018-18271Oct 12, 2018
    risk 0.00cvss epss 0.01

    XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.

  • CVE-2014-2245Mar 5, 2014
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are…

  • CVE-2014-2092Mar 2, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in lib/filemanager/ImageManager/editorFrame.php in CMS Made Simple 1.11.10 allows remote attackers to inject arbitrary web script or HTML via the action parameter, a different issue than CVE-2014-0334. NOTE: the original disclosure also…

  • CVE-2013-3929Dec 9, 2013
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in admin/editevent.php in CMS Made Simple (CMSMS) 1.11.9 allows remote authenticated users with the "Modify Events" permission to inject arbitrary web script or HTML via the handler parameter.

  • CVE-2012-6064Dec 3, 2012
    risk 0.00cvss epss 0.01

    Directory traversal vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) before 1.11.2.1 allows remote authenticated administrators to delete arbitrary files via a .. (dot dot) in the deld parameter. NOTE: this can be leveraged using CSRF…

  • CVE-2012-5450Dec 3, 2012
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) 1.11.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deld parameter.

  • CVE-2012-1992Apr 11, 2012
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in admin/edituser.php in CMS Made Simple 1.10.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the email parameter (aka the Email Address field in the Edit User template).

  • CVE-2011-3718Sep 23, 2011
    risk 0.00cvss epss 0.01

    CMS Made Simple (CMSMS) 1.9.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/TinyMCE/TinyMCE.module.php and certain other files. NOTE: this might…

  • CVE-2010-4663Jun 8, 2011
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in the News module in CMS Made Simple (CMSMS) before 1.9.1 has unknown impact and attack vectors.

  • CVE-2010-3883Oct 8, 2010
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Change Group Permissions module in CMS Made Simple 1.7.1 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that make permission modifications.

  • CVE-2010-3882Oct 8, 2010
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple 1.7.1 and earlier allow remote attackers to inject arbitrary web script or HTML via input to the (1) Add Pages, (2) Add Global Content, (3) Edit Global Content, (4) Add Article, (5) Add Category, (6) Add…

Page 7 of 8