Page 4 of 106 results (0.003 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function. • https://okankurtulus.com.tr/2023/06/27/cms-made-simple-v2-2-17-stored-cross-site-scripting-xss-authenticated • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file. • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/file_upload_RCE/File_upload_to_RCE.md https://seclists.org/fulldisclosure/2021/Mar/50 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php. • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md https://seclists.org/fulldisclosure/2021/Mar/49 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3

CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '. CMS Made Simple versiones anteriores a 2.2.15 incluyéndola, está afectado por una inyección SQL en el archivomodules/News/function.admin_articlestab.php. La variable $sortby está concatenada con $query1, pero es posible inyectar un lenguaje SQL arbitrario sin usar la variable " • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md https://packetstormsecurity.com/files/161895/CMS-Made-Simple-2.2.15-SQL-Injection.html https://seclists.org/fulldisclosure/2021/Mar/49 https://www.soteritsecurity.com/blog/2023/01/CMS-Made-Simple_CVE-2021-40961.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php. Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en CMS Made Simple versión 2.2.15, por medio del campo Name en una acción Add Category en el archivo moduleinterface.php • https://elprofesor.me/2021/10/24/stored-cross-site-scripting-via-m1-name-authenticated • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •