CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1529 – Cross-site Scripting in CMS Made Simple
https://notcve.org/view.php?id=CVE-2024-1529
12 Mar 2024 — Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially take over their browser session. Vulnerabilidad en CMS Made Simple 2.2.14, que no codifica suficientemente la entrada controlada por el usuario, lo que resulta en una vul... • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1528 – Cross-site Scripting in CMS Made Simple
https://notcve.org/view.php?id=CVE-2024-1528
12 Mar 2024 — CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session. CMS Made Simple versión 2.2.14 no codifica suficientemente la entrada controlada por el usuario, lo que genera una vulnerabilidad de Cross Site Scr... • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1527 – Unrestricted Upload of File with Dangerous Type in CMS Made Simple
https://notcve.org/view.php?id=CVE-2024-1527
12 Mar 2024 — Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell. Vulnerabilidad de carga de archivos sin restricciones en CMS Made Simple, que afecta a la versión 2.2.14. Esta vulnerabilidad permite a un usuario autenticado eludir las medidas de seguridad de la funcionalidad de carga y potencialmente crear una ejec... • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28998
https://notcve.org/view.php?id=CVE-2021-28998
08 May 2023 — File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file. • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/file_upload_RCE/File_upload_to_RCE.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28999
https://notcve.org/view.php?id=CVE-2021-28999
08 May 2023 — SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php. • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2021-40961
https://notcve.org/view.php?id=CVE-2021-40961
09 Jun 2022 — CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '. CMS Made Simple versiones anteriores a 2.2.15 incluyéndola, está afectado por una inyección SQL en el archivomodules/News/function.admin_articlestab.php. La variable $sortby está concatenada con $query1, pero es posible inyectar un lenguaje SQL arbitrario sin usar la variable " • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23481
https://notcve.org/view.php?id=CVE-2020-23481
22 Sep 2021 — CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field. Se ha detectado que CMS Made Simple versión 2.2.14, contiene una vulnerabilidad de tipo cross-site scripting (XSS) que permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada en el campo Field Definition text • http://dev.cmsmadesimple.org/bug/view/12317 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9060
https://notcve.org/view.php?id=CVE-2019-9060
17 Sep 2021 — An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file content (by using that path traversal with m1_prefname set to cg_errormsg and m1_resettodefault=1). Se ha detectado un problema en CMS Made Simple versión 2.2.8. Es posible lograr un salto de ruta no autenticado en el m... • http://dev.cmsmadesimple.org/project/changelog/5819 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-22732
https://notcve.org/view.php?id=CVE-2020-22732
05 Aug 2021 — CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker.. CMS Made Simple (CMSMS) versión 2.2.14, permite un ataque de tipo XSS almacenado por medio de las Extensiones ) Fie Picker.. • http://dev.cmsmadesimple.org/bug/view/12288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23241
https://notcve.org/view.php?id=CVE-2020-23241
26 Jul 2021 — Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en CMS Made Simple versión 2.2.14, en "Extra" por medio de la funcionalidad "News ) Article" • http://dev.cmsmadesimple.org/bug/view/12322 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •