Cmsmadesimple
Source repositories
CVEs (100)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-5963 | Med | 0.31 | 4.8 | 0.01 | Jan 25, 2018 | CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter. | ||
| CVE-2018-10521 | Low | 0.18 | 2.7 | 0.01 | Apr 27, 2018 | In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in the admin dashboard contains an arbitrary file movement vulnerability that can cause DoS, exploitable by an admin user, because config.php can be moved into an incorrect directory. | ||
| CVE-2019-9053 | 0.10 | — | 0.56 | Mar 26, 2019 | An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter. | |||
| CVE-2019-9692 | 0.08 | — | 0.47 | Mar 11, 2019 | class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). | |||
| CVE-2019-9055 | 0.06 | — | 0.13 | Mar 26, 2019 | An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the… | |||
| CVE-2007-5056 | 0.05 | — | 0.28 | Sep 24, 2007 | Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequences in the last_module… | |||
| CVE-2008-5642 | 0.04 | — | 0.09 | Dec 17, 2008 | Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie. | |||
| CVE-2005-2846 | 0.04 | — | 0.07 | Sep 8, 2005 | PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter. | |||
| CVE-2014-0334 | 0.03 | — | 0.02 | Mar 2, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url… | |||
| CVE-2010-3884 | 0.03 | — | 0.01 | Oct 8, 2010 | Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are… | |||
| CVE-2008-2267 | 0.03 | — | 0.05 | May 16, 2008 | Incomplete blacklist vulnerability in javaUpload.php in Postlet in the FileManager module in CMS Made Simple 1.2.4 and earlier allows remote attackers to execute arbitrary code by uploading a file with a name ending in (1) .jsp, (2) .php3, (3) .cgi, (4) .dhtml, (5) .phtml, (6)… | |||
| CVE-2007-6656 | 0.03 | — | 0.01 | Jan 4, 2008 | SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter. | |||
| CVE-2007-2473 | 0.03 | — | 0.04 | May 2, 2007 | SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter. | |||
| CVE-2006-6845 | 0.03 | — | 0.02 | Dec 31, 2006 | Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the cntnt01searchinput parameter in a Search action. | |||
| CVE-2005-3083 | 0.03 | — | 0.01 | Sep 27, 2005 | Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 0.10 allows remote attackers to inject arbitrary web script or HTML via the page parameter. | |||
| CVE-2019-9059 | 0.01 | — | 0.02 | Mar 26, 2019 | An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password"… | |||
| CVE-2010-2797 | 0.01 | — | 0.08 | Oct 8, 2010 | Directory traversal vulnerability in lib/translation.functions.php in CMS Made Simple before 1.8.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the default_cms_lang parameter to an admin script, as demonstrated by… | |||
| CVE-2023-43352 | 0.00 | — | 0.01 | Oct 26, 2023 | An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component. | |||
| CVE-2023-43360 | 0.00 | — | 0.01 | Oct 24, 2023 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component. | |||
| CVE-2023-43358 | 0.00 | — | 0.01 | Oct 23, 2023 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component. |
- risk 0.31cvss 4.8epss 0.01
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter.
- risk 0.18cvss 2.7epss 0.01
In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in the admin dashboard contains an arbitrary file movement vulnerability that can cause DoS, exploitable by an admin user, because config.php can be moved into an incorrect directory.
- CVE-2019-9053Mar 26, 2019risk 0.10cvss —epss 0.56
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
- CVE-2019-9692Mar 11, 2019risk 0.08cvss —epss 0.47
class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
- CVE-2019-9055Mar 26, 2019risk 0.06cvss —epss 0.13
An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the…
- CVE-2007-5056Sep 24, 2007risk 0.05cvss —epss 0.28
Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequences in the last_module…
- CVE-2008-5642Dec 17, 2008risk 0.04cvss —epss 0.09
Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie.
- CVE-2005-2846Sep 8, 2005risk 0.04cvss —epss 0.07
PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter.
- CVE-2014-0334Mar 2, 2014risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url…
- CVE-2010-3884Oct 8, 2010risk 0.03cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are…
- CVE-2008-2267May 16, 2008risk 0.03cvss —epss 0.05
Incomplete blacklist vulnerability in javaUpload.php in Postlet in the FileManager module in CMS Made Simple 1.2.4 and earlier allows remote attackers to execute arbitrary code by uploading a file with a name ending in (1) .jsp, (2) .php3, (3) .cgi, (4) .dhtml, (5) .phtml, (6)…
- CVE-2007-6656Jan 4, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.
- CVE-2007-2473May 2, 2007risk 0.03cvss —epss 0.04
SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.
- CVE-2006-6845Dec 31, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the cntnt01searchinput parameter in a Search action.
- CVE-2005-3083Sep 27, 2005risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 0.10 allows remote attackers to inject arbitrary web script or HTML via the page parameter.
- CVE-2019-9059Mar 26, 2019risk 0.01cvss —epss 0.02
An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password"…
- CVE-2010-2797Oct 8, 2010risk 0.01cvss —epss 0.08
Directory traversal vulnerability in lib/translation.functions.php in CMS Made Simple before 1.8.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the default_cms_lang parameter to an admin script, as demonstrated by…
- CVE-2023-43352Oct 26, 2023risk 0.00cvss —epss 0.01
An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component.
- CVE-2023-43360Oct 24, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.
- CVE-2023-43358Oct 23, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component.
Page 3 of 5