Page 5 of 105 results (0.011 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2

CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker. CMS Made Simple 2.2.10 tiene Cross-Site Scripting (XSS) mediante el campo Name en moduleinterface.php, que es alcanzable mediante la acción "Add a new Profile" en el File Picker. • http://dev.cmsmadesimple.org/bug/view/12001 https://ctrsec.io/index.php/2019/03/24/cmsmadesimple-xss-filepicker • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 72%CPEs: 1EXPL: 3

class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). class.showtime2_image.php en CMS Made Simple (CMSMS), en versiones anteriores a la 2.2.10, no garantiza que un archivo con marca de agua tenga una extensión de archivos estándar (GIF, JPG, JPEG o PNG). • https://www.exploit-db.com/exploits/46627 https://www.exploit-db.com/exploits/46546 http://packetstormsecurity.com/files/152269/CMS-Made-Simple-CMSMS-Showtime2-File-Upload-Remote-Command-Execution.html http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47 http://www.rapid7.com/db/modules/exploit/multi/http/cmsms_showtime2_rce https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id), _AdjustNameSeq (parameter shownumber), _Updatepicture (parameter picture_id), and _Deletepicture (parameter picture_id). En CMS Made Simple (CMSMS), en versiones anteriores a la 2.2.10, un usuario autenticado puede lograr una inyección SQL en class.showtime2_data.php mediante las funciones _updateshow (parámetro show_id), _inputshow (parámetro show_id), _Getshowinfo (parámetro show_id), _Getpictureinfo (parámetro picture_id), _AdjustNameSeq (parámetro shownumber), _Updatepicture (parámetro picture_id) y Deletepicture (parámetro picture_id). • http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_data.php&rev=47 https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user's mailbox with the wrong format. The response contains the user's previously entered email address. Hay una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en CMS Made Simple 2.2.8, en admin/myaccount.php. Esta vulnerabilidad se desencadena tras un intento de modificación de la bandeja de entrada de un usuario con el formato erróneo. • https://github.com/Xmansec/cmsms_vul • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798. CMS Made Simple 2.2.8 permite Cross-Site Scripting (XSS) mediante un documento SVG manipulado. Este problema está relacionado con CVE-2017-16798. • https://github.com/security-breachlock/CVE-2018-19597/blob/master/cmssms.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •