CVE-2017-8912 – CMS Made Simple 2.1.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2017-8912
CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is "a feature, not a bug. ** EN DISPUTA** CMS Made Simple (CMSMS) 2.1.6 permite a los administradores autenticados remotos ejecutar código PHP arbitrario a través del parámetro de código admin/editusertag.php, relativo a las funciones CreateTagFunction y CallUserTag. NOTA: el vendedor ha declarado que esto es "una característica, no un error". • https://www.exploit-db.com/exploits/41997 https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2017-7256
https://notcve.org/view.php?id=CVE-2017-7256
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_summary parameter. Someone must login to conduct the attack. XSS existe en la característica CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" característica a través del parámetro m1_summary. Alguien debe iniciar sesión para realizar el ataque. • http://www.03i0.com/index.php/archives/113 http://www.securityfocus.com/bid/97204 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-7255
https://notcve.org/view.php?id=CVE-2017-7255
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_title parameter. Someone must login to conduct the attack. XSS existe en la característica CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" a través del parámetro m1_title. Alguien debe iniciar sesión para realizar el ataque. • http://www.03i0.com/index.php/archives/113 http://www.securityfocus.com/bid/97203 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-7257
https://notcve.org/view.php?id=CVE-2017-7257
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_content parameter. Someone must login to conduct the attack. XSS existe en la característica CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" a través del parámetro m1_content. Alguien debe iniciar sesión para realizar el ataque. • http://www.03i0.com/index.php/archives/113 http://www.securityfocus.com/bid/97205 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-6556
https://notcve.org/view.php?id=CVE-2017-6556
Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the "adminpage > sitesetting > General Settings > globalmetadata" field. Vulnerabilidad de XSS en CMS Made Simple (CMSMS) 2.1.6 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del campo "adminpage > sitesetting > General Settings > globalmetadata". • http://www.daimacn.com/?id=8 http://www.securityfocus.com/bid/96933 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •