CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11513
https://notcve.org/view.php?id=CVE-2019-11513
25 Apr 2019 — The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action. El Administrador de Archivos en el CMS Made Simple, hasta la versión 2.2.10, es vulnerable a un XSS reflejado a través del campo "Nuevo nombre" en una acción Renombrar. • http://dev.cmsmadesimple.org/bug/view/12022 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-9056
https://notcve.org/view.php?id=CVE-2019-9056
11 Apr 2019 — An issue was discovered in CMS Made Simple 2.2.8. In the module FrontEndUsers (in the file class.FrontEndUsersManipulate.php or class.FrontEndUsersManipulator.php), it is possible to reach an unserialize call with an untrusted __FEU__ cookie, and achieve authenticated object injection. Se detecto un problema en CMS Made Simple versión 2.2.8. En el módulo FrontEndUsers (en el archivo class.FrontEndUsersManipulate.php o class.FrontEndUsersManipulator.php), es posible lograr una llamada no serializada con una ... • https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10107
https://notcve.org/view.php?id=CVE-2019-10107
26 Mar 2019 — CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section. CMS Made Simple 2.2.10 tiene Cross-Site Scripting (XSS) mediante el campo "Email Address" en myaccount.php, que es alcanzable mediante la sección "My Preferences -> My Account". • http://dev.cmsmadesimple.org/bug/view/12003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10106
https://notcve.org/view.php?id=CVE-2019-10106
26 Mar 2019 — CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section. CMS Made Simple 2.2.10 tiene Cross-Site Scripting (XSS) mediante el campo "Name" en moduleinterface.php, que es alcanzable mediante la acción "Add Category" en la sección "Site Admin Settings - News module". • http://dev.cmsmadesimple.org/bug/view/12004 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10105
https://notcve.org/view.php?id=CVE-2019-10105
26 Mar 2019 — CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager. CMS Made Simple 2.2.10 tiene una vulnerabilidad de auto Cross-Site Scripting (XSS) mediante el campo Name del Gestor de Diseño de Distribución, que es alcanzable mediante la acción "Create a new Template" en el Gestor de Diseño. • http://dev.cmsmadesimple.org/bug/view/12002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9061
https://notcve.org/view.php?id=CVE-2019-9061
26 Mar 2019 — An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature. Se ha descubierto un problema en CMS Made Simple 2.2.8. En el módulo ModuleManager (en el archivo action.installmodule.php), es posible alcanzar una llamada no serializada con entradas no fiables y lograr una inyección de objetos autenticada media... • https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.2EPSS: 5%CPEs: 1EXPL: 0CVE-2019-9059
https://notcve.org/view.php?id=CVE-2019-9059
26 Mar 2019 — An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password" feature. Se ha descubierto un problema en CMS Made Simple 2.2.8. Es posible, con una cuenta de administrador, inyectar comandos modificando la ruta de un ejecutable de correo electrónico en las opciones del correo, estableciendo "sendmai... • https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 0CVE-2019-9058
https://notcve.org/view.php?id=CVE-2019-9058
26 Mar 2019 — An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection. Se ha descubierto un problema en CMS Made Simple 2.2.8. En la página de administrador en admin/changegroupperm.php, es posible enviar un valor manipulado en el parámetro sel_groups que conduce a una inyección de objetos autenticada. • https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9057
https://notcve.org/view.php?id=CVE-2019-9057
26 Mar 2019 — An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection. Se ha descubierto un problema en CMS Made Simple 2.2.8. En el módulo FilePicker, es posible alcanzar una llamada no serializada con un parámetro no fiable y lograr inyectar objetos autenticados. • https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg • CWE-502: Deserialization of Untrusted Data CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes •
CVSS: 8.8EPSS: 31%CPEs: 1EXPL: 1CVE-2019-9055 – CMS Made Simple 2.2.8 Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-9055
26 Mar 2019 — An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, and achieve object injection. Se ha descubierto un problema en CMS Made Simple 2.2.8. En el módulo DesignManager (en los archivos action.admin_bulk_css.php y action.admin_bulk_template.php), con un usuario sin pri... • https://packetstorm.news/files/id/155322 • CWE-502: Deserialization of Untrusted Data •