VYPR

Vendor CVEs

Cmsmadesimple

All CVEs

110 total · sorted by risk
  • CVE-2019-9053Mar 26, 2019
    risk 0.10cvss epss 0.56

    An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.

  • CVE-2019-9692Mar 11, 2019
    risk 0.08cvss epss 0.47

    class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).

  • CVE-2019-9055Mar 26, 2019
    risk 0.06cvss epss 0.13

    An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the…

  • CVE-2007-5056Sep 24, 2007
    risk 0.05cvss epss 0.28

    Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequences in the last_module…

  • CVE-2008-5642Dec 17, 2008
    risk 0.04cvss epss 0.09

    Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie.

  • CVE-2005-2846Sep 8, 2005
    risk 0.04cvss epss 0.07

    PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter.

  • CVE-2014-0334Mar 2, 2014
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url…

  • CVE-2010-3884Oct 8, 2010
    risk 0.03cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are…

  • CVE-2008-2267May 16, 2008
    risk 0.03cvss epss 0.05

    Incomplete blacklist vulnerability in javaUpload.php in Postlet in the FileManager module in CMS Made Simple 1.2.4 and earlier allows remote attackers to execute arbitrary code by uploading a file with a name ending in (1) .jsp, (2) .php3, (3) .cgi, (4) .dhtml, (5) .phtml, (6)…

  • CVE-2007-6656Jan 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.

  • CVE-2007-2473May 2, 2007
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.

  • CVE-2006-6845Dec 31, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the cntnt01searchinput parameter in a Search action.

  • CVE-2005-3083Sep 27, 2005
    risk 0.03cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 0.10 allows remote attackers to inject arbitrary web script or HTML via the page parameter.

  • CVE-2019-9059Mar 26, 2019
    risk 0.01cvss epss 0.02

    An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password"…

  • CVE-2010-2797Oct 8, 2010
    risk 0.01cvss epss 0.08

    Directory traversal vulnerability in lib/translation.functions.php in CMS Made Simple before 1.8.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the default_cms_lang parameter to an admin script, as demonstrated by…

  • CVE-2023-43352Oct 26, 2023
    risk 0.00cvss epss 0.01

    An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component.

  • CVE-2023-43360Oct 24, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.

  • CVE-2023-43358Oct 23, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component.

  • CVE-2023-43355Oct 20, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the password and password again parameters in the My Preferences - Add user component.

  • CVE-2023-43357Oct 20, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component.

  • CVE-2023-43353Oct 20, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component.

  • CVE-2023-43356Oct 20, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component.

  • CVE-2023-43354Oct 20, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component.

  • CVE-2023-43359Oct 19, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data parameters in the Content Manager Menu component.

  • CVE-2023-43872Sep 28, 2023
    risk 0.00cvss epss 0.01

    A File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS).

  • CVE-2023-43339Sep 25, 2023
    risk 0.00cvss epss 0.01

    Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components.

  • CVE-2023-23795Jun 22, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Muneeb Form Builder plugin <= 1.9.9.0 versions.

  • CVE-2022-2567Sep 19, 2022
    risk 0.00cvss epss 0.00

    The Form Builder CP WordPress plugin before 1.2.32 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…

  • CVE-2019-11513Apr 25, 2019
    risk 0.00cvss epss 0.01

    The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action.

  • CVE-2019-9056Apr 11, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in CMS Made Simple 2.2.8. In the module FrontEndUsers (in the file class.FrontEndUsersManipulate.php or class.FrontEndUsersManipulator.php), it is possible to reach an unserialize call with an untrusted __FEU__ cookie, and achieve authenticated object…

  • CVE-2019-10106Mar 26, 2019
    risk 0.00cvss epss 0.01

    CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section.

  • CVE-2019-10105Mar 26, 2019
    risk 0.00cvss epss 0.01

    CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.

  • CVE-2019-9061Mar 26, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature.

  • CVE-2019-9058Mar 26, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection.

  • CVE-2019-10017Mar 24, 2019
    risk 0.00cvss epss 0.01

    CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.

  • CVE-2019-9693Mar 11, 2019
    risk 0.00cvss epss 0.01

    In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id),…

  • CVE-2018-20464Dec 25, 2018
    risk 0.00cvss epss 0.01

    There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user's mailbox with the wrong format. The response contains the user's previously entered email address.

  • CVE-2018-19597Dec 19, 2018
    risk 0.00cvss epss 0.01

    CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.

  • CVE-2018-18270Oct 12, 2018
    risk 0.00cvss epss 0.01

    XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.

  • CVE-2018-18271Oct 12, 2018
    risk 0.00cvss epss 0.01

    XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.

  • CVE-2014-2245Mar 5, 2014
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are…

  • CVE-2014-2092Mar 2, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in lib/filemanager/ImageManager/editorFrame.php in CMS Made Simple 1.11.10 allows remote attackers to inject arbitrary web script or HTML via the action parameter, a different issue than CVE-2014-0334. NOTE: the original disclosure also…

  • CVE-2013-3929Dec 9, 2013
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in admin/editevent.php in CMS Made Simple (CMSMS) 1.11.9 allows remote authenticated users with the "Modify Events" permission to inject arbitrary web script or HTML via the handler parameter.

  • CVE-2013-4167Oct 11, 2013
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) before 1.11.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2012-6064Dec 3, 2012
    risk 0.00cvss epss 0.01

    Directory traversal vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) before 1.11.2.1 allows remote authenticated administrators to delete arbitrary files via a .. (dot dot) in the deld parameter. NOTE: this can be leveraged using CSRF…

  • CVE-2012-5450Dec 3, 2012
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) 1.11.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deld parameter.

  • CVE-2012-1992Apr 11, 2012
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in admin/edituser.php in CMS Made Simple 1.10.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the email parameter (aka the Email Address field in the Edit User template).

  • CVE-2011-3718Sep 23, 2011
    risk 0.00cvss epss 0.01

    CMS Made Simple (CMSMS) 1.9.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/TinyMCE/TinyMCE.module.php and certain other files. NOTE: this might…

  • CVE-2010-4663Jun 8, 2011
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in the News module in CMS Made Simple (CMSMS) before 1.9.1 has unknown impact and attack vectors.

  • CVE-2010-3883Oct 8, 2010
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Change Group Permissions module in CMS Made Simple 1.7.1 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that make permission modifications.