CVSS: 9.8EPSS: 91%CPEs: 1EXPL: 4CVE-2019-11231 – GetSimpleCMS - Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-11231
16 May 2019 — An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be bypassed. According to the official documentation for installation step 10, an admin is required to upload all the files, including the .htaccess files, and run a health check. However, what is overlooked is that the Apache HTTP Server by... • https://packetstorm.news/files/id/152961 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17103
https://notcve.org/view.php?id=CVE-2018-17103
16 Sep 2018 — An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter ** EN DISPUTA ** Se ha descubierto un problema en GetSimple CMS v3.3.13. Hay una vulnerabilidad CSRF que puede cambiar la contraseña del administrador mediante admin settings.php. NOTA: el fabricante informa de que el PoC estaba enviando un valor para el parámetro nonce. • https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1295 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-9173 – GetSimple CMS 3.3.13 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-9173
02 Apr 2018 — Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter. Existe una vulnerabilidad explotable de uso de credenciales embebidas en los puntos de acceso inalámbrico Moxa AWK-3131A que ejecuten la versión 1.1 del firmware. El sistema operativo del dispositivo contiene una cuenta (root) privilegiada y sin documentar con credenciales embebidas, lo que da... • https://packetstorm.news/files/id/147064 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8081
https://notcve.org/view.php?id=CVE-2017-8081
30 Apr 2017 — Poor cryptographic salt initialization in admin/inc/template_functions.php in GetSimple CMS 3.3.13 allows a network attacker to escalate privileges to an arbitrary user or conduct CSRF attacks via calculation of a session cookie or CSRF nonce. Una mala inicialización criptográfica del salt en admin/inc/template_functions.php en GetSimple CMS versión 3.3.13 permite a un atacante de red escalar privilegios a un usuario arbitrario o producir ataques CSRF mediante el cálculo de una cookie de sesión o un CSRF de... • https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1224 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •