CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17734
https://notcve.org/view.php?id=CVE-2017-17734
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions. CMS Made Simple (CMSMS) en versiones anteriores a la 2.2.5 no almacena en caché correctamente la información de inicio de sesión en las sesiones. • https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=77737 https://www.cmsmadesimple.org/2017/12/Announcing-CMSMS-v2.2.5-Wawa • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17735
https://notcve.org/view.php?id=CVE-2017-17735
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies. CMS Made Simple (CMSMS) en versiones anteriores a la 2.2.5 no almacena en caché correctamente la información de inicio de sesión en las cookies. • https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=77737 https://www.cmsmadesimple.org/2017/12/Announcing-CMSMS-v2.2.5-Wawa • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 3CVE-2017-16783 – CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection
https://notcve.org/view.php?id=CVE-2017-16783
In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter. En CMS Made Simple 2.1.6, existe inyección de plantillas del lado del servidor mediante el parámetro cntnt01detailtemplate. CMS Made Simple version 2.1.6 suffers from a server-side template injection vulnerability. • https://www.exploit-db.com/exploits/48944 http://packetstormsecurity.com/files/159690/CMS-Made-Simple-2.1.6-Server-Side-Template-Injection.html https://www.netsparker.com/web-applications-advisories/ns-17-032-server-side-template-injection-vulnerability-in-cms-made-simple • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9668
https://notcve.org/view.php?id=CVE-2017-9668
In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user group, there is no XSS filtering, resulting in storage-type XSS generation, via the description parameter in an addgroup action. En admin\addgroup.php en el gestor de contenidos Made Simple 2.1.6, cuando se añade un nuevo grupo no filtra el XSS resultando en la generación de un Storage-type XSS, mediante el parametro de descripción en la acción de añadir grupo. • https://github.com/XiaoZhis/ProjectSend/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 5%CPEs: 1EXPL: 1CVE-2017-8912 – CMS Made Simple 2.1.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2017-8912
CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is "a feature, not a bug. ** EN DISPUTA** CMS Made Simple (CMSMS) 2.1.6 permite a los administradores autenticados remotos ejecutar código PHP arbitrario a través del parámetro de código admin/editusertag.php, relativo a las funciones CreateTagFunction y CallUserTag. NOTA: el vendedor ha declarado que esto es "una característica, no un error". • https://www.exploit-db.com/exploits/41997 https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities • CWE-94: Improper Control of Generation of Code ('Code Injection') •