Total
147 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-10105 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager. | |||||
CVE-2019-9053 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter. | |||||
CVE-2019-9056 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in CMS Made Simple 2.2.8. In the module FrontEndUsers (in the file class.FrontEndUsersManipulate.php or class.FrontEndUsersManipulator.php), it is possible to reach an unserialize call with an untrusted __FEU__ cookie, and achieve authenticated object injection. | |||||
CVE-2019-9059 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password" feature. | |||||
CVE-2019-11226 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News. | |||||
CVE-2019-9061 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature. | |||||
CVE-2018-20464 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user's mailbox with the wrong format. The response contains the user's previously entered email address. | |||||
CVE-2018-19597 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798. | |||||
CVE-2018-18270 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action. | |||||
CVE-2018-18271 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action. | |||||
CVE-2018-10515 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
In CMS Made Simple (CMSMS) through 2.2.7, the "file unpack" operation in the admin dashboard contains a remote code execution vulnerability exploitable by an admin user because a .php file can be present in the extracted ZIP archive. | |||||
CVE-2018-10030 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php. | |||||
CVE-2018-10082 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task.php. | |||||
CVE-2018-5964 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter. | |||||
CVE-2018-10522 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
In CMS Made Simple (CMSMS) through 2.2.7, the "file view" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by ordinary users, because the product exposes unrestricted access to the PHP file_get_contents function. | |||||
CVE-2018-10518 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 8.5 HIGH | 6.5 MEDIUM |
In CMS Made Simple (CMSMS) through 2.2.7, the "file delete" operation in the admin dashboard contains an arbitrary file deletion vulnerability that can cause DoS, exploitable by an admin user, because the attacker can remove all lib/ files in all directories. | |||||
CVE-2018-10031 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php. | |||||
CVE-2018-10081 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset vulnerability because data values are improperly compared, as demonstrated by a hash beginning with the "0e" substring. | |||||
CVE-2018-10029 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799. | |||||
CVE-2018-10085 | 1 Cmsmadesimple | 1 Cms Made Simple | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in the _get_data function of \lib\classes\internal\class.LoginOperations.php. By sending a crafted cookie, a remote attacker can upload and execute code, or delete files. |