Getsimple CMS
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-17103 | Hig | 0.57 | 8.8 | 0.01 | Sep 16, 2018 | An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter | ||
| CVE-2017-8081 | Hig | 0.57 | 8.8 | 0.01 | Apr 30, 2017 | Poor cryptographic salt initialization in admin/inc/template_functions.php in GetSimple CMS 3.3.13 allows a network attacker to escalate privileges to an arbitrary user or conduct CSRF attacks via calculation of a session cookie or CSRF nonce. | ||
| CVE-2018-9173 | Med | 0.43 | 6.1 | 0.03 | Apr 2, 2018 | Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter. | ||
| CVE-2018-16325 | Med | 0.40 | 6.1 | 0.01 | Sep 1, 2018 | There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field. | ||
| CVE-2017-10673 | Med | 0.40 | 6.1 | 0.01 | Jun 29, 2017 | admin/profile.php in GetSimple CMS 3.x has XSS in a name field. | ||
| CVE-2018-17835 | Med | 0.31 | 4.8 | 0.01 | Oct 1, 2018 | An issue was discovered in GetSimple CMS 3.3.15. An administrator can insert stored XSS via the admin/settings.php Custom Permalink Structure parameter, which injects the XSS payload into any page created at the admin/pages.php URI. | ||
| CVE-2018-15843 | Med | 0.31 | 4.8 | 0.01 | Aug 25, 2018 | GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field. | ||
| CVE-2019-9915 | 0.01 | — | 0.04 | Mar 21, 2019 | GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter. | |||
| CVE-2018-19845 | 0.00 | — | 0.01 | Dec 31, 2018 | There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325. | |||
| CVE-2018-19420 | 0.00 | — | 0.01 | Nov 21, 2018 | In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename), because of admin/upload-uploadify.php, and… | |||
| CVE-2018-19421 | 0.00 | — | 0.01 | Nov 21, 2018 | In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php. | |||
| CVE-2014-8790 | 0.00 | — | 0.03 | Jan 20, 2015 | XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter. |
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter
- risk 0.57cvss 8.8epss 0.01
Poor cryptographic salt initialization in admin/inc/template_functions.php in GetSimple CMS 3.3.13 allows a network attacker to escalate privileges to an arbitrary user or conduct CSRF attacks via calculation of a session cookie or CSRF nonce.
- risk 0.43cvss 6.1epss 0.03
Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter.
- risk 0.40cvss 6.1epss 0.01
There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field.
- risk 0.40cvss 6.1epss 0.01
admin/profile.php in GetSimple CMS 3.x has XSS in a name field.
- risk 0.31cvss 4.8epss 0.01
An issue was discovered in GetSimple CMS 3.3.15. An administrator can insert stored XSS via the admin/settings.php Custom Permalink Structure parameter, which injects the XSS payload into any page created at the admin/pages.php URI.
- risk 0.31cvss 4.8epss 0.01
GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field.
- CVE-2019-9915Mar 21, 2019risk 0.01cvss —epss 0.04
GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.
- CVE-2018-19845Dec 31, 2018risk 0.00cvss —epss 0.01
There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325.
- CVE-2018-19420Nov 21, 2018risk 0.00cvss —epss 0.01
In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename), because of admin/upload-uploadify.php, and…
- CVE-2018-19421Nov 21, 2018risk 0.00cvss —epss 0.01
In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php.
- CVE-2014-8790Jan 20, 2015risk 0.00cvss —epss 0.03
XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.