CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28998
https://notcve.org/view.php?id=CVE-2021-28998
08 May 2023 — File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file. • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/file_upload_RCE/File_upload_to_RCE.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28999
https://notcve.org/view.php?id=CVE-2021-28999
08 May 2023 — SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php. • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2021-40961
https://notcve.org/view.php?id=CVE-2021-40961
09 Jun 2022 — CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '. CMS Made Simple versiones anteriores a 2.2.15 incluyéndola, está afectado por una inyección SQL en el archivomodules/News/function.admin_articlestab.php. La variable $sortby está concatenada con $query1, pero es posible inyectar un lenguaje SQL arbitrario sin usar la variable " • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-22842
https://notcve.org/view.php?id=CVE-2020-22842
30 Sep 2020 — CMS Made Simple before 2.2.15 allows XSS via the m1_mod parameter in a ModuleManager local_uninstall action to admin/moduleinterface.php. CMS Made Simple versiones anteriores a 2.2.15, permite un ataque de tipo XSS por medio del parámetro m1_mod en una acción ModuleManager en la función local_uninstall en archivo admin/moduleinterface.php • http://dev.cmsmadesimple.org/bug/view/12291 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13660
https://notcve.org/view.php?id=CVE-2020-13660
28 May 2020 — CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name. CMS Made Simple versiones hasta 2.2.14, permite un ataque de tipo XSS por medio de un nombre de perfil de File Picker. • http://dev.cmsmadesimple.org/bug/view/12312 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2011-4310
https://notcve.org/view.php?id=CVE-2011-4310
26 Nov 2019 — The news module in CMSMS before 1.9.4.3 allows remote attackers to corrupt new articles. El módulo de noticias en CMSMS versiones anteriores a la versión 1.9.4.3, permite a atacantes remotos corromper nuevos artículos. • https://www.cmsmadesimple.org/2011/08/Announcing-CMSMS-1-9-4-3---Security-Release • CWE-20: Improper Input Validation •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11513
https://notcve.org/view.php?id=CVE-2019-11513
25 Apr 2019 — The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action. El Administrador de Archivos en el CMS Made Simple, hasta la versión 2.2.10, es vulnerable a un XSS reflejado a través del campo "Nuevo nombre" en una acción Renombrar. • http://dev.cmsmadesimple.org/bug/view/12022 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9061
https://notcve.org/view.php?id=CVE-2019-9061
26 Mar 2019 — An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature. Se ha descubierto un problema en CMS Made Simple 2.2.8. En el módulo ModuleManager (en el archivo action.installmodule.php), es posible alcanzar una llamada no serializada con entradas no fiables y lograr una inyección de objetos autenticada media... • https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.2EPSS: 5%CPEs: 1EXPL: 0CVE-2019-9059
https://notcve.org/view.php?id=CVE-2019-9059
26 Mar 2019 — An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password" feature. Se ha descubierto un problema en CMS Made Simple 2.2.8. Es posible, con una cuenta de administrador, inyectar comandos modificando la ruta de un ejecutable de correo electrónico en las opciones del correo, estableciendo "sendmai... • https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 0CVE-2019-9058
https://notcve.org/view.php?id=CVE-2019-9058
26 Mar 2019 — An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection. Se ha descubierto un problema en CMS Made Simple 2.2.8. En la página de administrador en admin/changegroupperm.php, es posible enviar un valor manipulado en el parámetro sel_groups que conduce a una inyección de objetos autenticada. • https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •