CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5441
https://notcve.org/view.php?id=CVE-2007-5441
CMS Made Simple 1.1.3.1 does not check the permissions assigned to users in some situations, which allows remote authenticated users to perform some administrative actions, as demonstrated by (1) adding a user via a direct request to admin/adduser.php and (2) reading the admin log via an "admin/adminlog.php?page=1" request. CMS Made Simple 1.1.3.1 no comprueba los permisos asignados a los usuarios en algunas situaciones, lo cual permite a usuarios remotos autenticados llevar a cabo algunas acciones administrativas, como se ha demostrado (1) añadiendo un usuario mediante una petición directa a admin/adduser.php y (2) leyendo el archivo de registro de administración mediante una petición "admin/adminlog.php?page=1". • http://blog.cmsmadesimple.org/2007/10/07/announcing-cms-made-simple-1141 http://osvdb.org/45481 http://securityreason.com/securityalert/3223 http://www.securityfocus.com/archive/1/481984/100/0/threaded • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5443
https://notcve.org/view.php?id=CVE-2007-5443
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple 1.1.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) the anchor tag and (2) listtags. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en CMS Made Simple 1.1.3.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores no especificados relacionados con (1) la etiqueta anchor (ancla) y (2) etiquetas de lista (listtags). • http://blog.cmsmadesimple.org/2007/10/07/announcing-cms-made-simple-1141 http://osvdb.org/42471 http://osvdb.org/42472 http://securityreason.com/securityalert/3223 http://www.securityfocus.com/archive/1/481984/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5444
https://notcve.org/view.php?id=CVE-2007-5444
CMS Made Simple 1.1.3.1 allows remote attackers to obtain the full path via a direct request for unspecified files. CMS Made Simple 1.1.3.1 permite a atacantes remotos obtener la ruta completa mediante una petición directa de archivos no especificados. • http://osvdb.org/41033 http://securityreason.com/securityalert/3223 http://www.securityfocus.com/archive/1/481984/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 69%CPEs: 6EXPL: 6CVE-2007-5056 – CMS Made Simple 1.2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2007-5056
Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequences in the last_module parameter. Una vulnerabilidad de inyección Eval en el archivo adodb-perf-module.inc.php en ADOdb Lite versiones 1.42 y anteriores, como es usado en productos como CMS Made Simple, SAPID CMF, Journalness, PacerCMS y Open-Realty, permite a atacantes remotos ejecutar código arbitrario por medio de secuencias PHP en el parámetro last_module. • https://www.exploit-db.com/exploits/4442 https://www.exploit-db.com/exploits/5091 https://www.exploit-db.com/exploits/5090 https://www.exploit-db.com/exploits/5098 https://www.exploit-db.com/exploits/5097 http://osvdb.org/40596 http://osvdb.org/41422 http://osvdb.org/41426 http://osvdb.org/41427 http://osvdb.org/41428 http://secunia.com/advisories/26928 http://secunia.com/advisories/28859 http://secunia.com/advisories/28873 http://secunia.com/ • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 3CVE-2007-2473 – CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection
https://notcve.org/view.php?id=CVE-2007-2473
SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter. Vulnerabilidad de inyección SQL en el stylesheet.php del CMS Made Simple 1.0.5 y versiones anteriores permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro templateid. • https://www.exploit-db.com/exploits/29941 http://blog.cmsmadesimple.org/2007/04/24/cms-made-simple-106-released http://osvdb.org/35744 http://secunia.com/advisories/25082 http://www.scanit.be/advisory-2007-05-02.html http://www.securityfocus.com/bid/23753 http://www.vupen.com/english/advisories/2007/1628 https://exchange.xforce.ibmcloud.com/vulnerabilities/34044 •