CVSS: 7.2EPSS: 77%CPEs: 1EXPL: 2CVE-2018-1000094 – CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-1000094
CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. This attack appear to be exploitable via File upload -> copy to any extension. CMS Made Simple 2.2.5 contiene una vulnerabilidad de ejecución remota de código en File Manager que podría permitir que un administrador autenticado con acceso al gestor de archivos ejecute código en el servidor. El ataque parece ser explotable mediante File upload -> copy a cualquier extensión. CMS Made Simple version 2.2.5 allows an authenticated administrator to upload a file and rename it to have a .php extension. • https://www.exploit-db.com/exploits/44976 http://dev.cmsmadesimple.org/bug/view/11741 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7893
https://notcve.org/view.php?id=CVE-2018-7893
CMS Made Simple (CMSMS) 2.2.6 has stored XSS in admin/moduleinterface.php via the metadata parameter. CMS Made Simple (CMSMS) 2.2.6 tiene Cross-Site Scripting (XSS) persistente en admin/moduleinterface.php mediante el parámetro metadata. • https://github.com/ibey0nd/CVE/blob/master/CMS%20Made%20Simple%20Stored%20XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8058
https://notcve.org/view.php?id=CVE-2018-8058
CMS Made Simple (CMSMS) 2.2.6 has XSS in admin/moduleinterface.php via the pagedata parameter. CMS Made Simple (CMSMS) 2.2.6 tiene Cross-Site Scripting (XSS) en admin/moduleinterface.php mediante el parámetro pagedata. • https://github.com/ibey0nd/CVE/blob/master/CMS%20Made%20Simple%20Stored%20XSS%202.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 8%CPEs: 1EXPL: 2CVE-2018-7448 – CMS Made Simple 2.1.6 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-7448
Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure. Vulnerabilidad de ejecución remota de código en /cmsms-2.1.6-install.php/index.php en CMS Made Simple 2.1.6 permite que atacantes remotos inyecten código PHP arbitrario mediante el parámetro "timezone" en el paso 4 del procedimiento de nueva instalación. CMS Made Simple version 2.1.6 suffers from a remote code execution vulnerability during install time. • https://www.exploit-db.com/exploits/44192 http://dev.cmsmadesimple.org/project/changelog/5471 https://packetstormsecurity.com/files/146568/CMS-Made-Simple-2.1.6-Remote-Code-Execution.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-5965
https://notcve.org/view.php?id=CVE-2018-5965
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter. CMS Made Simple (CMSMS) 2.2.5 tiene Cross-Site Scripting (XSS) en admin/moduleinterface.php a través del parámetro m1_errors. • http://packetstormsecurity.com/files/146035/CMS-Made-Simple-2.2.5-moduleinterface.php-m1_errors-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2018/Jan/83 https://kyawminthein901497298.wordpress.com/2018/01/22/cms-made-simple-2-2-5-reflected-cross-site-scripting • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •