CVSS: 9.8EPSS: 91%CPEs: 1EXPL: 4CVE-2019-11231 – GetSimpleCMS - Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-11231
16 May 2019 — An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be bypassed. According to the official documentation for installation step 10, an admin is required to upload all the files, including the .htaccess files, and run a health check. However, what is overlooked is that the Apache HTTP Server by... • https://packetstorm.news/files/id/152961 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17103
https://notcve.org/view.php?id=CVE-2018-17103
16 Sep 2018 — An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter ** EN DISPUTA ** Se ha descubierto un problema en GetSimple CMS v3.3.13. Hay una vulnerabilidad CSRF que puede cambiar la contraseña del administrador mediante admin settings.php. NOTA: el fabricante informa de que el PoC estaba enviando un valor para el parámetro nonce. • https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1295 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-9173 – GetSimple CMS 3.3.13 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-9173
02 Apr 2018 — Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter. Existe una vulnerabilidad explotable de uso de credenciales embebidas en los puntos de acceso inalámbrico Moxa AWK-3131A que ejecuten la versión 1.1 del firmware. El sistema operativo del dispositivo contiene una cuenta (root) privilegiada y sin documentar con credenciales embebidas, lo que da... • https://packetstorm.news/files/id/147064 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •