Page 9 of 55 results (0.010 seconds)

CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0

Cross-site request forgery (CSRF) vulnerability in CMS Made Simple before 2.1.6 allows remote attackers to hijack the authentication of administrators for requests that create accounts via an admin/adduser.php request. Vulnerabilidad de CSRF en CMS Made Simple en versiones anteriores a 2.1.6 permite a atacantes remotos secuestrar la autenticación de administradores para peticiones que crean cuentas a través de una petición admin/adduser.php. • http://dev.cmsmadesimple.org/project/changelog/5392 http://www.openwall.com/lists/oss-security/2017/01/16/1 http://www.securityfocus.com/bid/95453 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.7EPSS: 94%CPEs: 80EXPL: 1

CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a request. CMS Made Simple 2.x en versiones anteriores a 2.1.3 y 1.x en versiones anteriores a 1.12.2, cuando está activada la Smarty Cache, permiten a atacantes remotos llevar a cabo ataques de envenenamiento de la caché, modificar enlaces y llevar a cabo ataques de secuencias de comandos en sitios cruzados (XSS) a través de una cabecera HTTP Host manipulada en una petición. CMS Made Simple versions prior to 2.1.3 and 1.12.2 suffer from a web server cache poisoning vulnerability. • https://www.exploit-db.com/exploits/39760 http://packetstormsecurity.com/files/136897/CMS-Made-Simple-Cache-Poisoning.html http://seclists.org/fulldisclosure/2016/May/15 http://www.cmsmadesimple.org/2016/03/Announcing-CMSMS-1-12-2-kolonia http://www.cmsmadesimple.org/2016/04/Announcing-CMSMS-2-1-3-Black-Point http://www.securityfocus.com/archive/1/538272/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.0EPSS: 0%CPEs: 64EXPL: 0

SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information. Vulnerabilidad de inyección SQL en el módulo News en CMS Made Simple (CMSMS) anterior a 1.11.10 permite a usuarios remotos autenticados con el permiso "Modify News" ejecutar comandos SQL arbitrarios a través del parámetro sortby hacia admin/moduleinterface.php. NOTA: algunos de estos detalles se obtiene de información de terceras partes. • http://dev.cmsmadesimple.org/project/changelog/4602 http://seclists.org/oss-sec/2014/q1/467 http://secunia.com/advisories/56996 http://www.securityfocus.com/bid/65953 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0

Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) before 1.11.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en CMS Made Simple (CMSMS) anterior a la versión 1.11.7 permite a atacantes remotos inyectar script web o HTML arbitrario a través de vectores no especificados. • http://forum.cmsmadesimple.org/viewtopic.php?f=1&t=66590&p=299356 http://www.openwall.com/lists/oss-security/2013/07/21/1 http://www.openwall.com/lists/oss-security/2013/07/25/7 https://twitter.com/LeakFree/status/336942367351394305 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 3.5EPSS: 0%CPEs: 86EXPL: 0

Directory traversal vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) before 1.11.2.1 allows remote authenticated administrators to delete arbitrary files via a .. (dot dot) in the deld parameter. NOTE: this can be leveraged using CSRF (CVE-2012-5450) to allow remote attackers to delete arbitrary files. Vulnerabilidad de salto de directorio en lib/filemanager/imagemanager/images.php en CMS Made Simple (CMSMS) antes de v1.11.2.1 permite a administradores autenticados remotamente borrar archivos de su elección a través de .. (punto punto) en el parámetro deld. • http://archives.neohapsis.com/archives/bugtraq/2012-11/0035.html http://forum.cmsmadesimple.org/viewtopic.php?f=1&t=63545 http://packetstormsecurity.org/files/117951/CMS-Made-Simple-1.11.2-Cross-Site-Request-Forgery.html http://secunia.com/advisories/51185 http://viewsvn.cmsmadesimple.org/diff.php?repname=cmsmadesimple&path=%2Ftrunk%2Flib%2Ffilemanager%2FImageManager%2FClasses%2FImageManager.php&rev=8400&peg=8498 https://exchange.xforce.ibmcloud.com/vulnerabilities/79881 https://www.htbridge.com/advisory/HTB23121 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •