CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 1CVE-2014-0334 – CMS Made Simple 1.11.9 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-0334
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url parameter to admin/addbookmark.php, (5) the stylesheet_name parameter to admin/copystylesheet.php, (6) the template_name parameter to admin/copytemplate.php, the (7) title or (8) url parameter to admin/editbookmark.php, (9) the template parameter to admin/listtemplates.php, or (10) the css_name parameter to admin/listcss.php, a different issue than CVE-2014-2092. Múltiples vulnerabilidades de XSS en CMS Made Simple permiten a usuarios remotos autenticados intectar script Web o HTML arbitrarios a través de (1) el parámetro group hacia admin/addgroup.php, (2) el parámetro htmlblob hacia admin/addhtmlblob.php, el (3) título o (4) parámetro url hacia admin/addbookmark.php, (5) el parámetro stylesheet_name hacia admin/copystylesheet.php, (6) el parámetro template_name hacia admin/copytemplate.php, el (7) título o (8) parámetro url hacia admin/editbookmark.php, (9) el parámetro template hacia admin/listtemplates.php o (10) el parámetro css_name hacia admin/listcss.php, un problema diferente a CVE-2014-2092. • https://www.exploit-db.com/exploits/43889 http://www.kb.cert.org/vuls/id/526062 http://www.securityfocus.com/bid/65898 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2014-2092
https://notcve.org/view.php?id=CVE-2014-2092
Cross-site scripting (XSS) vulnerability in lib/filemanager/ImageManager/editorFrame.php in CMS Made Simple 1.11.10 allows remote attackers to inject arbitrary web script or HTML via the action parameter, a different issue than CVE-2014-0334. NOTE: the original disclosure also reported issues that may not cross privilege boundaries. Vulnerabilidad de XSS en lib/filemanager/ImageManager/editorFrame.php en CMS Made Simple 1.11.10 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro action, un problema diferente a CVE-2014-0334. NOTA: la divulgación original también informó de problemas que pueden no cruzar límites de privilegio. • http://packetstormsecurity.com/files/125353/CMSMadeSimple-1.11.10-Cross-Site-Scripting.html http://www.securityfocus.com/bid/65746 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-3929
https://notcve.org/view.php?id=CVE-2013-3929
Cross-site scripting (XSS) vulnerability in admin/editevent.php in CMS Made Simple (CMSMS) 1.11.9 allows remote authenticated users with the "Modify Events" permission to inject arbitrary web script or HTML via the handler parameter. Vulnerabilidad de XSS en admin/editevent.php de CMS Made Simple (CMSMS) 1.11.9 permite a usuarios remotos autenticados con permisos de "Modify Events" inyectar script web o HTML arbitrario a través del parámetro handler. • http://secunia.com/advisories/53920 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2013-4167
https://notcve.org/view.php?id=CVE-2013-4167
Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) before 1.11.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en CMS Made Simple (CMSMS) anterior a la versión 1.11.7 permite a atacantes remotos inyectar script web o HTML arbitrario a través de vectores no especificados. • http://forum.cmsmadesimple.org/viewtopic.php?f=1&t=66590&p=299356 http://www.openwall.com/lists/oss-security/2013/07/21/1 http://www.openwall.com/lists/oss-security/2013/07/25/7 https://twitter.com/LeakFree/status/336942367351394305 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 86EXPL: 0CVE-2012-6064
https://notcve.org/view.php?id=CVE-2012-6064
Directory traversal vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) before 1.11.2.1 allows remote authenticated administrators to delete arbitrary files via a .. (dot dot) in the deld parameter. NOTE: this can be leveraged using CSRF (CVE-2012-5450) to allow remote attackers to delete arbitrary files. Vulnerabilidad de salto de directorio en lib/filemanager/imagemanager/images.php en CMS Made Simple (CMSMS) antes de v1.11.2.1 permite a administradores autenticados remotamente borrar archivos de su elección a través de .. (punto punto) en el parámetro deld. • http://archives.neohapsis.com/archives/bugtraq/2012-11/0035.html http://forum.cmsmadesimple.org/viewtopic.php?f=1&t=63545 http://packetstormsecurity.org/files/117951/CMS-Made-Simple-1.11.2-Cross-Site-Request-Forgery.html http://secunia.com/advisories/51185 http://viewsvn.cmsmadesimple.org/diff.php?repname=cmsmadesimple&path=%2Ftrunk%2Flib%2Ffilemanager%2FImageManager%2FClasses%2FImageManager.php&rev=8400&peg=8498 https://exchange.xforce.ibmcloud.com/vulnerabilities/79881 https://www.htbridge.com/advisory/HTB23121 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •