CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28998
https://notcve.org/view.php?id=CVE-2021-28998
08 May 2023 — File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file. • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/file_upload_RCE/File_upload_to_RCE.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28999
https://notcve.org/view.php?id=CVE-2021-28999
08 May 2023 — SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php. • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2021-40961
https://notcve.org/view.php?id=CVE-2021-40961
09 Jun 2022 — CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '. CMS Made Simple versiones anteriores a 2.2.15 incluyéndola, está afectado por una inyección SQL en el archivomodules/News/function.admin_articlestab.php. La variable $sortby está concatenada con $query1, pero es posible inyectar un lenguaje SQL arbitrario sin usar la variable " • https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-43154
https://notcve.org/view.php?id=CVE-2021-43154
13 Apr 2022 — Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php. Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en CMS Made Simple versión 2.2.15, por medio del campo Name en una acción Add Category en el archivo moduleinterface.php • https://elprofesor.me/2021/10/24/stored-cross-site-scripting-via-m1-name-authenticated • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23907
https://notcve.org/view.php?id=CVE-2022-23907
28 Feb 2022 — CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage. Se ha detectado que CMS Made Simple versión v2.2.15, contiene una vulnerabilidad de tipo cross-site scripting (XSS) reflejado por medio del parámetro m1_fmmessage. • http://dev.cmsmadesimple.org/bug/view/12503 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 6%CPEs: 1EXPL: 1CVE-2022-23906
https://notcve.org/view.php?id=CVE-2022-23906
28 Feb 2022 — CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file. Se ha detectado que CMS Made Simple versión v2.2.15, contiene una vulnerabilidad de Ejecución de Comandos Remota (RCE) por medio de la función upload avatar. Esta vulnerabilidad es explotada por medio de un archivo de imagen diseñado. • http://dev.cmsmadesimple.org/bug/view/12502 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 4CVE-2021-28935 – CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-28935
30 Mar 2021 — CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field. CMS Made Simple (CMSMS) versión 2.2.15, permite un XSS autenticado por medio del script /admin/addbookmark.php a través del campo Site Admin ) My Preferences ) Title. CMS Made Simple version 2.2.15 suffers from a reflective cross site scripting vulnerability. • https://packetstorm.news/files/id/162287 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 0CVE-2005-2392
https://notcve.org/view.php?id=CVE-2005-2392
27 Jul 2005 — Cross-site scripting (XSS) vulnerability in index.php for CMSimple 2.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in the search function. Vulnerabilidad de secuencia de comandos en sitios cruzados en index.php para CMSSimple 2.4 y anteriores permite que atacantes remotos inyecten script web arbitrario o HTML mediante el parámetro "search" en la función de búsqueda. • http://lostmon.blogspot.com/2005/07/cmsimple-search-variable-xss.html •