CVSS: 7.2EPSS: 3%CPEs: 1EXPL: 1CVE-2017-8912 – CMS Made Simple 2.1.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2017-8912
12 May 2017 — CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is "a feature, not a bug. ** EN DISPUTA** CMS Made Simple (CMSMS) 2.1.6 permite a los administradores autenticados remotos ejecutar código PHP arbitrario a través del parámetro de código admin/editusertag.php, relativo a las funciones CreateTagFunction y C... • https://www.exploit-db.com/exploits/41997 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-7255
https://notcve.org/view.php?id=CVE-2017-7255
24 Mar 2017 — XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_title parameter. Someone must login to conduct the attack. XSS existe en la característica CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" a través del parámetro m1_title. Alguien debe iniciar sesión para realizar el ataque. • http://www.03i0.com/index.php/archives/113 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-7256
https://notcve.org/view.php?id=CVE-2017-7256
24 Mar 2017 — XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_summary parameter. Someone must login to conduct the attack. XSS existe en la característica CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" característica a través del parámetro m1_summary. Alguien debe iniciar sesión para realizar el ataque. • http://www.03i0.com/index.php/archives/113 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-7257
https://notcve.org/view.php?id=CVE-2017-7257
24 Mar 2017 — XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_content parameter. Someone must login to conduct the attack. XSS existe en la característica CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" a través del parámetro m1_content. Alguien debe iniciar sesión para realizar el ataque. • http://www.03i0.com/index.php/archives/113 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-6555
https://notcve.org/view.php?id=CVE-2017-6555
09 Mar 2017 — Cross-site scripting (XSS) vulnerability in /admin/moduleinterface.php in CMS Made Simple 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the m1_description parameter (aka "Design Manager > Categories > Category Description"). Vulnerabilidad de XSS en /admin/moduleinterface.php en CMS Made Simple 2.1.6 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro m1_description (vulnerabilidad también conocida como "D... • http://www.daimacn.com/?id=7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-6556
https://notcve.org/view.php?id=CVE-2017-6556
09 Mar 2017 — Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the "adminpage > sitesetting > General Settings > globalmetadata" field. Vulnerabilidad de XSS en CMS Made Simple (CMSMS) 2.1.6 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del campo "adminpage > sitesetting > General Settings > globalmetadata". • http://www.daimacn.com/?id=8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2017-6070
https://notcve.org/view.php?id=CVE-2017-6070
21 Feb 2017 — CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to execute PHP code via the cntnt01fbrp_forma_form_template parameter in admin_store_form. CMS Made Simple versión 1.x Form Builder antes de la versión 0.8.1.6 permite a atacantes remotos ejecutar código PHP a través del parámetro cntnt01fbrp_forma_form_template en admin_store_form. • http://dev.cmsmadesimple.org/project/files/69 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2017-6071
https://notcve.org/view.php?id=CVE-2017-6071
21 Feb 2017 — CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via exportxml. CMS Made Simple versión 1.x Form Builder antes de la versión 0.8.1.6 permite a atacantes remotos llevar a cabo ataques de divulgación de información a través de exportxml. • http://dev.cmsmadesimple.org/project/files/69 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2017-6072
https://notcve.org/view.php?id=CVE-2017-6072
21 Feb 2017 — CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via defaultadmin. CMS Made Simple versión 1.x Form Builder antes de la versión 0.8.1.6 permite a atacantes remotos llevar a cabo ataques de divulgación de información a través de defaultadmin. • http://dev.cmsmadesimple.org/project/files/69 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7904
https://notcve.org/view.php?id=CVE-2016-7904
16 Jan 2017 — Cross-site request forgery (CSRF) vulnerability in CMS Made Simple before 2.1.6 allows remote attackers to hijack the authentication of administrators for requests that create accounts via an admin/adduser.php request. Vulnerabilidad de CSRF en CMS Made Simple en versiones anteriores a 2.1.6 permite a atacantes remotos secuestrar la autenticación de administradores para peticiones que crean cuentas a través de una petición admin/adduser.php. • http://dev.cmsmadesimple.org/project/changelog/5392 • CWE-352: Cross-Site Request Forgery (CSRF) •