Page 12 of 67 results (0.013 seconds)

CVSS: 7.5EPSS: 13%CPEs: 1EXPL: 2

Incomplete blacklist vulnerability in javaUpload.php in Postlet in the FileManager module in CMS Made Simple 1.2.4 and earlier allows remote attackers to execute arbitrary code by uploading a file with a name ending in (1) .jsp, (2) .php3, (3) .cgi, (4) .dhtml, (5) .phtml, (6) .php5, or (7) .jar, then accessing it via a direct request to the file in modules/FileManager/postlet/. Vulnerabilidad de lista negra incompleta en javaUpload.php de Postlet en el módulo FileManager de CMS Made Simple 1.2.4 y versiones anteriores permite a atacantes remotos ejecutar código de su elección mediante la subida de un fichero con un nombre finalizado en (1) .jsp, (2) .php3, (3) .cgi, (4) .dhtml, (5) .phtml, (6) .php5, o (7) .jar, entonces accede a través de una petición directa a el fichero en modules/FileManager/postlet/. • https://www.exploit-db.com/exploits/5600 http://blog.cmsmadesimple.org/2008/05/12/announcing-cms-made-simple-125 http://secunia.com/advisories/30208 http://www.attrition.org/pipermail/vim/2008-May/001978.html http://www.securityfocus.com/bid/29170 https://exchange.xforce.ibmcloud.com/vulnerabilities/42371 • CWE-20: Improper Input Validation •

CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 1

SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter. Vulnerabilidad de inyección SQL en content_css.php del módulo TinyMCE para CMS Made Simple 1.2.2 y versiones anteriores permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro templateid. • https://www.exploit-db.com/exploits/4810 http://blog.cmsmadesimple.org/2008/01/02/announcing-cms-made-simple-123 http://forum.cmsmadesimple.org/index.php/topic%2C18240.0.html http://osvdb.org/39788 http://secunia.com/advisories/28285 http://www.securityfocus.com/bid/27074 https://exchange.xforce.ibmcloud.com/vulnerabilities/39311 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0

CMS Made Simple 1.1.3.1 does not check the permissions assigned to users who attempt uploads, which allows remote authenticated users to upload unspecified files via unknown vectors. CMS Made Simple 1.1.3.1 no comprueba los permisos asignados a los usuarios que intentan enviar archivos, lo cual permite a usuarios autenticados remotamente enviar archivos no especificados a través de vectores desconocidos. • http://securityreason.com/securityalert/3223 http://www.securityfocus.com/archive/1/481984/100/0/threaded • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

CMS Made Simple 1.1.3.1 does not check the permissions assigned to users in some situations, which allows remote authenticated users to perform some administrative actions, as demonstrated by (1) adding a user via a direct request to admin/adduser.php and (2) reading the admin log via an "admin/adminlog.php?page=1" request. CMS Made Simple 1.1.3.1 no comprueba los permisos asignados a los usuarios en algunas situaciones, lo cual permite a usuarios remotos autenticados llevar a cabo algunas acciones administrativas, como se ha demostrado (1) añadiendo un usuario mediante una petición directa a admin/adduser.php y (2) leyendo el archivo de registro de administración mediante una petición "admin/adminlog.php?page=1". • http://blog.cmsmadesimple.org/2007/10/07/announcing-cms-made-simple-1141 http://osvdb.org/45481 http://securityreason.com/securityalert/3223 http://www.securityfocus.com/archive/1/481984/100/0/threaded • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple 1.1.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) the anchor tag and (2) listtags. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en CMS Made Simple 1.1.3.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores no especificados relacionados con (1) la etiqueta anchor (ancla) y (2) etiquetas de lista (listtags). • http://blog.cmsmadesimple.org/2007/10/07/announcing-cms-made-simple-1141 http://osvdb.org/42471 http://osvdb.org/42472 http://securityreason.com/securityalert/3223 http://www.securityfocus.com/archive/1/481984/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •