CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-5964 – CMS Made Simple 2.2.5 moduleinterface.php title Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-5964
24 Jan 2018 — CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter. CMS Made Simple (CMSMS) 2.2.5 tiene Cross-Site Scripting (XSS) en admin/moduleinterface.php a través del parámetro m1_messages. CMS Made Simple version 2.2.5 suffers from a reflective cross site scripting vulnerability in /admin/moduleinterface.php. • http://packetstormsecurity.com/files/146034/CMS-Made-Simple-2.2.5-moduleinterface.php-title-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-5965 – CMS Made Simple 2.2.5 moduleinterface.php m1_errors Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-5965
24 Jan 2018 — CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter. CMS Made Simple (CMSMS) 2.2.5 tiene Cross-Site Scripting (XSS) en admin/moduleinterface.php a través del parámetro m1_errors. CMS Made Simple version 2.2.5 suffers from a reflective cross site scripting vulnerability in /admin/moduleinterface.php. • http://packetstormsecurity.com/files/146035/CMS-Made-Simple-2.2.5-moduleinterface.php-m1_errors-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2017-1000453
https://notcve.org/view.php?id=CVE-2017-1000453
02 Jan 2018 — CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templating injection in some core modules, resulting in unauthenticated PHP code execution. CMS Made Simple, en sus versiones 2.1.6 y 2.2, es vulnerable a una inyección de plantillas de Smarty en algunos módulos centrales. Esto resulta en la ejecución de código PHP sin autenticación. • https://www.cmsmadesimple.org/2017/06/Announcing-CMSMS-2-2-1-Hearts-Desire • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000454
https://notcve.org/view.php?id=CVE-2017-1000454
02 Jan 2018 — CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template Injection in some core components, resulting in local file read before 2.2, and local file inclusion since 2.2.1 CMS Made Simple 2.1.6, 2.2 y 2.2.1 es vulnerable a una inyección de plantillas de Smarty en algunos componentes centrales. Esto resulta en la lectura de archivos locales en versiones anteriores a la 2.2 y en la inclusión de archivos locales desde la versión 2.2.1. • https://www.cmsmadesimple.org/2017/07/Announcing-CMSMS-2.2.2-Hearts-Content • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17734
https://notcve.org/view.php?id=CVE-2017-17734
18 Dec 2017 — CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions. CMS Made Simple (CMSMS) en versiones anteriores a la 2.2.5 no almacena en caché correctamente la información de inicio de sesión en las sesiones. • https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=77737 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17735
https://notcve.org/view.php?id=CVE-2017-17735
18 Dec 2017 — CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies. CMS Made Simple (CMSMS) en versiones anteriores a la 2.2.5 no almacena en caché correctamente la información de inicio de sesión en las cookies. • https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=77737 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16798
https://notcve.org/view.php?id=CVE-2017-16798
12 Nov 2017 — In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .phtml, .pht, .html, or .svg. En CMS Made Simple 2.2.3.1, la función is_file_acceptable en modules/FileManager/action.upload.php solo bloquea las extensiones de archivo que empiezan o finalizan con una subcadena "php... • https://github.com/bsmali4/cve/blob/master/CMS%20Made%20Simple%20UPLOAD%20FILE%20XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 17%CPEs: 1EXPL: 4CVE-2017-16783 – CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection
https://notcve.org/view.php?id=CVE-2017-16783
10 Nov 2017 — In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter. En CMS Made Simple 2.1.6, existe inyección de plantillas del lado del servidor mediante el parámetro cntnt01detailtemplate. CMS Made Simple version 2.1.6 suffers from cross site scripting and server-side template injection vulnerabilities. • https://packetstorm.news/files/id/159690 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16784
https://notcve.org/view.php?id=CVE-2017-16784
10 Nov 2017 — In CMS Made Simple 2.2.2, there is Reflected XSS via the cntnt01detailtemplate parameter. En CMS Made Simple 2.2.2, existe Cross-Site Scripting (XSS) reflejado mediante el parámetro cntnt01detailtemplate. • https://www.netsparker.com/web-applications-advisories/ns-17-031-reflected-xss-vulnerability-in-cms-made-simple • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2017-11404
https://notcve.org/view.php?id=CVE-2017-11404
18 Jul 2017 — In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php. En CMS Made Simple (CMSMS) versión 2.2.2, los administradores autenticados remotos pueden cargar un archivo .php por medio de una acción FileManager en el archivo admin/moduleinterface.php. • http://www.yuesec.com/img/cccccve/CMSMadeSimple/upl0advul123/images/upload_vulnerability_yuesec.html • CWE-434: Unrestricted Upload of File with Dangerous Type •