CVE-2019-10107
https://notcve.org/view.php?id=CVE-2019-10107
CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section. CMS Made Simple 2.2.10 tiene Cross-Site Scripting (XSS) mediante el campo "Email Address" en myaccount.php, que es alcanzable mediante la sección "My Preferences -> My Account". • http://dev.cmsmadesimple.org/bug/view/12003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-10106
https://notcve.org/view.php?id=CVE-2019-10106
CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section. CMS Made Simple 2.2.10 tiene Cross-Site Scripting (XSS) mediante el campo "Name" en moduleinterface.php, que es alcanzable mediante la acción "Add Category" en la sección "Site Admin Settings - News module". • http://dev.cmsmadesimple.org/bug/view/12004 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-10105
https://notcve.org/view.php?id=CVE-2019-10105
CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager. CMS Made Simple 2.2.10 tiene una vulnerabilidad de auto Cross-Site Scripting (XSS) mediante el campo Name del Gestor de Diseño de Distribución, que es alcanzable mediante la acción "Create a new Template" en el Gestor de Diseño. • http://dev.cmsmadesimple.org/bug/view/12002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-9061
https://notcve.org/view.php?id=CVE-2019-9061
An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature. Se ha descubierto un problema en CMS Made Simple 2.2.8. En el módulo ModuleManager (en el archivo action.installmodule.php), es posible alcanzar una llamada no serializada con entradas no fiables y lograr una inyección de objetos autenticada mediante la funcionalidad "install module". • https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVE-2019-9059
https://notcve.org/view.php?id=CVE-2019-9059
An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password" feature. Se ha descubierto un problema en CMS Made Simple 2.2.8. Es posible, con una cuenta de administrador, inyectar comandos modificando la ruta de un ejecutable de correo electrónico en las opciones del correo, estableciendo "sendmail" en la opción "Mailer" e iniciando la característica "Forgot your password". • https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •