Filtered by vendor Cmsmadesimple
Subscribe
Total
156 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13660 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-05-29 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name. | |||||
| CVE-2017-6071 | 1 Cmsmadesimple | 2 Cms Made Simple, Form Builder | 2020-05-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via exportxml. | |||||
| CVE-2020-10681 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-03-25 | 3.5 LOW | 5.4 MEDIUM |
| The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php. | |||||
| CVE-2020-10682 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-03-24 | 6.8 MEDIUM | 7.8 HIGH |
| The Filemanager in CMS Made Simple 2.2.13 allows remote code execution via a .php.jpegd JPEG file, as demonstrated by m1_files[] to admin/moduleinterface.php. The file should be sent as application/octet-stream and contain PHP code (it need not be a valid JPEG file). | |||||
| CVE-2011-4310 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-12-04 | 5.0 MEDIUM | 7.5 HIGH |
| The news module in CMSMS before 1.9.4.3 allows remote attackers to corrupt new articles. | |||||
| CVE-2017-16798 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .phtml, .pht, .html, or .svg. | |||||
| CVE-2019-17629 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-16 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen. | |||||
| CVE-2019-17630 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-16 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen. | |||||
| CVE-2019-17226 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-08 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field. | |||||
| CVE-2017-11404 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-03 | 4.0 MEDIUM | 4.9 MEDIUM |
| In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php. | |||||
| CVE-2018-10519 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| CMS Made Simple (CMSMS) 2.2.7 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because files in the tmp/ directory are accessible through HTTP requests. NOTE: this vulnerability exists because of an incorrect fix for CVE-2018-10084. | |||||
| CVE-2017-11405 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-03 | 4.0 MEDIUM | 4.9 MEDIUM |
| In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/moduleinterface.php in which type=image is changed to type=file. | |||||
| CVE-2018-10520 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-03 | 8.5 HIGH | 6.5 MEDIUM |
| In CMS Made Simple (CMSMS) through 2.2.7, the "module remove" operation in the admin dashboard contains an arbitrary file deletion vulnerability that can cause DoS, exploitable by an admin user, because the attacker can remove all lib/ files in all directories. | |||||
| CVE-2018-1000158 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-03 | 4.3 MEDIUM | 8.8 HIGH |
| cmsmadesimple version 2.2.7 contains a Incorrect Access Control vulnerability in the function of send_recovery_email in the line "$url = $config['admin_url'] . '/login.php?recoverme=' . $code;" that can result in Administrator Password Reset Poisoning, specifically a reset URL pointing at an attacker controlled server can be created by using a host header attack. | |||||
| CVE-2018-10518 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-03 | 8.5 HIGH | 6.5 MEDIUM |
| In CMS Made Simple (CMSMS) through 2.2.7, the "file delete" operation in the admin dashboard contains an arbitrary file deletion vulnerability that can cause DoS, exploitable by an admin user, because the attacker can remove all lib/ files in all directories. | |||||
| CVE-2018-10086 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-03 | 6.5 MEDIUM | 7.2 HIGH |
| CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary code execution vulnerability in the admin dashboard because the implementation uses "eval('function testfunction'.rand()" and it is possible to bypass certain restrictions on these "testfunction" functions. | |||||
| CVE-2018-10084 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| CMS Made Simple (CMSMS) through 2.2.6 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because an SHA-1 cryptographic protection mechanism can be bypassed. | |||||
| CVE-2019-1010290 | 1 Cmsmadesimple | 1 Bable\ | 2019-07-19 | 5.8 MEDIUM | 6.1 MEDIUM |
| Babel: Multilingual site Babel All is affected by: Open Redirection. The impact is: Redirection to any URL, which is supplied to redirect.php in a "newurl" parameter. The component is: redirect.php. The attack vector is: The victim must open a link created by an attacker. Attacker may use any legitimate site using Babel to redirect user to a URL of his/her choosing. | |||||
| CVE-2019-10017 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-07-18 | 3.5 LOW | 5.4 MEDIUM |
| CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker. | |||||
| CVE-2019-11226 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-06-05 | 3.5 LOW | 5.4 MEDIUM |
| CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News. | |||||