CVSS: 7.2EPSS: 3%CPEs: 1EXPL: 0CVE-2024-27622
https://notcve.org/view.php?id=CVE-2024-27622
05 Mar 2024 — A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code. Se ha identificado una vulnerabilidad de ejecución remota de código en el módulo Etiquetas definidas por el usuario de CMS Made Simple versión 2.2.19. Esta ... • https://github.com/capture0x/CMSMadeSimple • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27623
https://notcve.org/view.php?id=CVE-2024-27623
05 Mar 2024 — CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). The vulnerability exists within the Design Manager, particularly when editing the Breadcrumbs. CMS Made Simple versión 2.2.19 es vulnerable a la inyección de plantillas del lado del servidor (SSTI). La vulnerabilidad existe dentro del Administrador de Diseño, particularmente al editar Breadcrumbs. • https://github.com/capture0x/CMSMadeSimple2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-43352
https://notcve.org/view.php?id=CVE-2023-43352
26 Oct 2023 — An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component. Un problema en CMSmadesimple v.2.2.18 permite a un atacante local ejecutar código arbitrario a través de un payload manipulado en el componente Content Manager Menu. • https://github.com/sromanhu/CVE-2023-43352-CMSmadesimple-SSTI--Content • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-43360
https://notcve.org/view.php?id=CVE-2023-43360
24 Oct 2023 — Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component. Una vulnerabilidad de Cross-Site Scripting (XSS) en CMSmadesimple v.2.2.18 permite a un atacante local ejecutar código arbitrario a través de un script manipulado en el parámetro Top Directory en el componente File Picker Menu. • https://github.com/sromanhu/CVE-2023-43360-CMSmadesimple-Stored-XSS---File-Picker-extension • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-43358
https://notcve.org/view.php?id=CVE-2023-43358
23 Oct 2023 — Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component. Una vulnerabilidad de Cross Site Scripting en CMSmadesimple v.2.2.18 permite a un atacante local ejecutar código arbitrario a través de un script manipulado en el parámetro Título en el componente Menú de noticias. • https://github.com/sromanhu/CVE-2023-43358-CMSmadesimple-Stored-XSS---News • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43356
https://notcve.org/view.php?id=CVE-2023-43356
20 Oct 2023 — Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component. Una vulnerabilidad de Cross Site Scripting en CMSmadesimple v.2.2.18 permite a un atacante local ejecutar código arbitrario a través de un script manipulado para el parámetro Global Meatadata en el componente del Global Settings Menu. • https://github.com/sromanhu/CVE-2023-43356-CMSmadesimple-Stored-XSS---Global-Settings • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43357
https://notcve.org/view.php?id=CVE-2023-43357
20 Oct 2023 — Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component. Una vulnerabilidad de Cross Site Scripting en CMSmadesimple v.2.2.18 permite a un atacante local ejecutar código arbitrario a través de un script manipulado en el parámetro Title en el componente Manage Shortcuts. • https://github.com/sromanhu/CVE-2023-43357-CMSmadesimple-Stored-XSS---Shortcut • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43353
https://notcve.org/view.php?id=CVE-2023-43353
20 Oct 2023 — Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component. Una vulnerabilidad de Cross Site Scripting en CMSmadesimple v.2.2.18 permite a un atacante local ejecutar código arbitrario a través de un script manipulado para el parámetro adicional en el componente del menú de noticias. • https://github.com/sromanhu/CVE-2023-43353-CMSmadesimple-Stored-XSS---News---Extra • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43354
https://notcve.org/view.php?id=CVE-2023-43354
20 Oct 2023 — Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component. Vulnerabilidad de Cross Site Scripting en CMSmadesimple v.2.2.18 permite a un atacante local ejecutar código arbitrario a través de un script manipulado en el parámetro Profiles en el componente del editor Extensions -MicroTiny WYSIWYG. • https://github.com/sromanhu/CVE-2023-43354-CMSmadesimple-Stored-XSS---MicroTIny-extension • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-43355
https://notcve.org/view.php?id=CVE-2023-43355
20 Oct 2023 — Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the password and password again parameters in the My Preferences - Add user component. La vulnerabilidad de Cross Site Scripting en CMSmadesimple v.2.2.18 permite a un atacante local ejecutar código arbitrario a través de un script manipulado para los parámetros contraseña y contraseña nuevamente en My Preferences - Add user. • https://github.com/sromanhu/CVE-2023-43355-CMSmadesimple-Reflected-XSS---Add-user • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •