Vendor CVEs
Simple CMS
All CVEs
146 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-9055 | 0.06 | — | 0.13 | Mar 26, 2019 | An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the… | |||
| CVE-2008-5642 | 0.04 | — | 0.09 | Dec 17, 2008 | Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie. | |||
| CVE-2005-2846 | 0.04 | — | 0.07 | Sep 8, 2005 | PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter. | |||
| CVE-2021-28935 | 0.03 | — | 0.02 | Mar 30, 2021 | CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field. | |||
| CVE-2014-0334 | 0.03 | — | 0.02 | Mar 2, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url… | |||
| CVE-2010-3884 | 0.03 | — | 0.01 | Oct 8, 2010 | Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are… | |||
| CVE-2010-3742 | 0.03 | — | 0.02 | Oct 5, 2010 | Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) meta or (2) phpincdir parameter, a different issue than CVE-2010-3307. | |||
| CVE-2010-3307 | 0.03 | — | 0.02 | Oct 5, 2010 | Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) body, (2) footer, (3) header, (4) menu_left, or (5) menu_right parameter. | |||
| CVE-2009-2792 | 0.03 | — | 0.02 | Aug 17, 2009 | Directory traversal vulnerability in plugings/pagecontent.php in Really Simple CMS (RSCMS) 0.3a allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PT parameter. | |||
| CVE-2008-5058 | 0.03 | — | 0.02 | Nov 13, 2008 | SQL injection vulnerability in siteadmin/loginsucess.php in Pre Simple CMS allows remote attackers to execute arbitrary SQL commands via the user parameter, as reachable from siteadmin/adminlogin.php. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-2267 | 0.03 | — | 0.05 | May 16, 2008 | Incomplete blacklist vulnerability in javaUpload.php in Postlet in the FileManager module in CMS Made Simple 1.2.4 and earlier allows remote attackers to execute arbitrary code by uploading a file with a name ending in (1) .jsp, (2) .php3, (3) .cgi, (4) .dhtml, (5) .phtml, (6)… | |||
| CVE-2008-0835 | 0.03 | — | 0.01 | Feb 20, 2008 | SQL injection vulnerability in indexen.php in Simple CMS 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the area parameter. | |||
| CVE-2007-6656 | 0.03 | — | 0.01 | Jan 4, 2008 | SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter. | |||
| CVE-2007-2473 | 0.03 | — | 0.04 | May 2, 2007 | SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter. | |||
| CVE-2006-6845 | 0.03 | — | 0.02 | Dec 31, 2006 | Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the cntnt01searchinput parameter in a Search action. | |||
| CVE-2005-3083 | 0.03 | — | 0.01 | Sep 27, 2005 | Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 0.10 allows remote attackers to inject arbitrary web script or HTML via the page parameter. | |||
| CVE-2022-23906 | 0.01 | — | 0.02 | Feb 28, 2022 | CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file. | |||
| CVE-2019-9059 | 0.01 | — | 0.02 | Mar 26, 2019 | An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password"… | |||
| CVE-2010-2797 | 0.01 | — | 0.08 | Oct 8, 2010 | Directory traversal vulnerability in lib/translation.functions.php in CMS Made Simple before 1.8.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the default_cms_lang parameter to an admin script, as demonstrated by… | |||
| CVE-2021-47919 | 0.00 | — | 0.00 | Feb 1, 2026 | Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. | |||
| CVE-2021-47917 | 0.00 | — | 0.00 | Feb 1, 2026 | Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and editUser modules to inject persistent scripts that execute on user list preview,… | |||
| CVE-2023-53927 | 0.00 | — | 0.00 | Dec 17, 2025 | PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators… | |||
| CVE-2023-53926 | 0.00 | — | 0.01 | Dec 17, 2025 | PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted SQL payloads through the 'column' parameter in the index.php endpoint to potentially extract or… | |||
| CVE-2025-63678 | 0.00 | — | 0.00 | Nov 10, 2025 | An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file. | |||
| CVE-2025-5153 | 0.00 | — | 0.00 | May 25, 2025 | A vulnerability, which was classified as problematic, has been found in CMS Made Simple 2.2.21. This issue affects some unknown processing of the component Design Manager Module. The manipulation of the argument Description leads to cross site scripting. The attack may be… | |||
| CVE-2024-1529 | 0.00 | — | 0.00 | Mar 12, 2024 | Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially… | |||
| CVE-2024-1528 | 0.00 | — | 0.00 | Mar 12, 2024 | CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted… | |||
| CVE-2024-1527 | 0.00 | — | 0.01 | Mar 12, 2024 | Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell. | |||
| CVE-2024-27622 | 0.00 | — | 0.02 | Mar 5, 2024 | A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated… | |||
| CVE-2024-27625 | 0.00 | — | 0.00 | Mar 5, 2024 | CMS Made Simple Version 2.2.19 is vulnerable to Cross Site Scripting (XSS). This vulnerability resides in the File Manager module of the admin panel. Specifically, the issue arises due to inadequate sanitization of user input in the "New directory" field. | |||
| CVE-2024-27623 | 0.00 | — | 0.00 | Mar 5, 2024 | CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). The vulnerability exists within the Design Manager, particularly when editing the Breadcrumbs. | |||
| CVE-2024-27559 | 0.00 | — | 0.00 | Mar 1, 2024 | Stupid Simple CMS v1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /save_settings.php | |||
| CVE-2024-27689 | 0.00 | — | 0.00 | Mar 1, 2024 | Stupid Simple CMS v1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via /update-article.php. | |||
| CVE-2024-22715 | 0.00 | — | 0.00 | Jan 17, 2024 | Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin-edit.php. | |||
| CVE-2023-36970 | 0.00 | — | 0.00 | Jul 6, 2023 | A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function. | |||
| CVE-2021-28998 | 0.00 | — | 0.01 | May 8, 2023 | File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file. | |||
| CVE-2021-28999 | 0.00 | — | 0.01 | May 8, 2023 | SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php. | |||
| CVE-2021-40961 | 0.00 | — | 0.02 | Jun 9, 2022 | CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '. | |||
| CVE-2021-43154 | 0.00 | — | 0.01 | Apr 13, 2022 | Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php. | |||
| CVE-2022-23907 | 0.00 | — | 0.01 | Feb 28, 2022 | CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage. | |||
| CVE-2020-23481 | 0.00 | — | 0.00 | Sep 22, 2021 | CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field. | |||
| CVE-2019-9060 | 0.00 | — | 0.01 | Sep 17, 2021 | An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read… | |||
| CVE-2020-22732 | 0.00 | — | 0.00 | Aug 5, 2021 | CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker.. | |||
| CVE-2020-23241 | 0.00 | — | 0.00 | Jul 26, 2021 | Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature. | |||
| CVE-2020-23240 | 0.00 | — | 0.00 | Jul 26, 2021 | Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature. | |||
| CVE-2020-36416 | 0.00 | — | 0.00 | Jul 2, 2021 | A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module. | |||
| CVE-2020-36415 | 0.00 | — | 0.00 | Jul 2, 2021 | A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module. | |||
| CVE-2020-36414 | 0.00 | — | 0.00 | Jul 2, 2021 | A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature. | |||
| CVE-2020-36413 | 0.00 | — | 0.00 | Jul 2, 2021 | A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Exclude these IP addresses from the "Site Down" status" parameter under the "Maintenance Mode"… | |||
| CVE-2020-36412 | 0.00 | — | 0.00 | Jul 2, 2021 | A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Search Text" field under the "Admin Search" module. |
- CVE-2019-9055Mar 26, 2019risk 0.06cvss —epss 0.13
An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the…
- CVE-2008-5642Dec 17, 2008risk 0.04cvss —epss 0.09
Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie.
- CVE-2005-2846Sep 8, 2005risk 0.04cvss —epss 0.07
PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter.
- CVE-2021-28935Mar 30, 2021risk 0.03cvss —epss 0.02
CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.
- CVE-2014-0334Mar 2, 2014risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url…
- CVE-2010-3884Oct 8, 2010risk 0.03cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are…
- CVE-2010-3742Oct 5, 2010risk 0.03cvss —epss 0.02
Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) meta or (2) phpincdir parameter, a different issue than CVE-2010-3307.
- CVE-2010-3307Oct 5, 2010risk 0.03cvss —epss 0.02
Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) body, (2) footer, (3) header, (4) menu_left, or (5) menu_right parameter.
- CVE-2009-2792Aug 17, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in plugings/pagecontent.php in Really Simple CMS (RSCMS) 0.3a allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PT parameter.
- CVE-2008-5058Nov 13, 2008risk 0.03cvss —epss 0.02
SQL injection vulnerability in siteadmin/loginsucess.php in Pre Simple CMS allows remote attackers to execute arbitrary SQL commands via the user parameter, as reachable from siteadmin/adminlogin.php. NOTE: some of these details are obtained from third party information.
- CVE-2008-2267May 16, 2008risk 0.03cvss —epss 0.05
Incomplete blacklist vulnerability in javaUpload.php in Postlet in the FileManager module in CMS Made Simple 1.2.4 and earlier allows remote attackers to execute arbitrary code by uploading a file with a name ending in (1) .jsp, (2) .php3, (3) .cgi, (4) .dhtml, (5) .phtml, (6)…
- CVE-2008-0835Feb 20, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in indexen.php in Simple CMS 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the area parameter.
- CVE-2007-6656Jan 4, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.
- CVE-2007-2473May 2, 2007risk 0.03cvss —epss 0.04
SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.
- CVE-2006-6845Dec 31, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the cntnt01searchinput parameter in a Search action.
- CVE-2005-3083Sep 27, 2005risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 0.10 allows remote attackers to inject arbitrary web script or HTML via the page parameter.
- CVE-2022-23906Feb 28, 2022risk 0.01cvss —epss 0.02
CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.
- CVE-2019-9059Mar 26, 2019risk 0.01cvss —epss 0.02
An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password"…
- CVE-2010-2797Oct 8, 2010risk 0.01cvss —epss 0.08
Directory traversal vulnerability in lib/translation.functions.php in CMS Made Simple before 1.8.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the default_cms_lang parameter to an admin script, as demonstrated by…
- CVE-2021-47919Feb 1, 2026risk 0.00cvss —epss 0.00
Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks.
- CVE-2021-47917Feb 1, 2026risk 0.00cvss —epss 0.00
Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and editUser modules to inject persistent scripts that execute on user list preview,…
- CVE-2023-53927Dec 17, 2025risk 0.00cvss —epss 0.00
PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators…
- CVE-2023-53926Dec 17, 2025risk 0.00cvss —epss 0.01
PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted SQL payloads through the 'column' parameter in the index.php endpoint to potentially extract or…
- CVE-2025-63678Nov 10, 2025risk 0.00cvss —epss 0.00
An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file.
- CVE-2025-5153May 25, 2025risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, has been found in CMS Made Simple 2.2.21. This issue affects some unknown processing of the component Design Manager Module. The manipulation of the argument Description leads to cross site scripting. The attack may be…
- CVE-2024-1529Mar 12, 2024risk 0.00cvss —epss 0.00
Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially…
- CVE-2024-1528Mar 12, 2024risk 0.00cvss —epss 0.00
CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted…
- CVE-2024-1527Mar 12, 2024risk 0.00cvss —epss 0.01
Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell.
- CVE-2024-27622Mar 5, 2024risk 0.00cvss —epss 0.02
A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated…
- CVE-2024-27625Mar 5, 2024risk 0.00cvss —epss 0.00
CMS Made Simple Version 2.2.19 is vulnerable to Cross Site Scripting (XSS). This vulnerability resides in the File Manager module of the admin panel. Specifically, the issue arises due to inadequate sanitization of user input in the "New directory" field.
- CVE-2024-27623Mar 5, 2024risk 0.00cvss —epss 0.00
CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). The vulnerability exists within the Design Manager, particularly when editing the Breadcrumbs.
- CVE-2024-27559Mar 1, 2024risk 0.00cvss —epss 0.00
Stupid Simple CMS v1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /save_settings.php
- CVE-2024-27689Mar 1, 2024risk 0.00cvss —epss 0.00
Stupid Simple CMS v1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via /update-article.php.
- CVE-2024-22715Jan 17, 2024risk 0.00cvss —epss 0.00
Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin-edit.php.
- CVE-2023-36970Jul 6, 2023risk 0.00cvss —epss 0.00
A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function.
- CVE-2021-28998May 8, 2023risk 0.00cvss —epss 0.01
File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.
- CVE-2021-28999May 8, 2023risk 0.00cvss —epss 0.01
SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php.
- CVE-2021-40961Jun 9, 2022risk 0.00cvss —epss 0.02
CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '.
- CVE-2021-43154Apr 13, 2022risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php.
- CVE-2022-23907Feb 28, 2022risk 0.00cvss —epss 0.01
CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage.
- CVE-2020-23481Sep 22, 2021risk 0.00cvss —epss 0.00
CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field.
- CVE-2019-9060Sep 17, 2021risk 0.00cvss —epss 0.01
An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read…
- CVE-2020-22732Aug 5, 2021risk 0.00cvss —epss 0.00
CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker..
- CVE-2020-23241Jul 26, 2021risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature.
- CVE-2020-23240Jul 26, 2021risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.
- CVE-2020-36416Jul 2, 2021risk 0.00cvss —epss 0.00
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module.
- CVE-2020-36415Jul 2, 2021risk 0.00cvss —epss 0.00
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module.
- CVE-2020-36414Jul 2, 2021risk 0.00cvss —epss 0.00
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature.
- CVE-2020-36413Jul 2, 2021risk 0.00cvss —epss 0.00
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Exclude these IP addresses from the "Site Down" status" parameter under the "Maintenance Mode"…
- CVE-2020-36412Jul 2, 2021risk 0.00cvss —epss 0.00
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Search Text" field under the "Admin Search" module.
Page 2 of 3