11 results (0.007 seconds)

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially take over their browser session. Vulnerabilidad en CMS Made Simple 2.2.14, que no codifica suficientemente la entrada controlada por el usuario, lo que resulta en una vulnerabilidad de Cross Site Scripting (XSS) a través de /admin/adduser.php, en múltiples parámetros. Esta vulnerabilidad podría permitir que un atacante remoto envíe un payload de JavaScript especialmente manipulada a un usuario autenticado y se apodere parcialmente de su sesión de navegador. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session. CMS Made Simple versión 2.2.14 no codifica suficientemente la entrada controlada por el usuario, lo que genera una vulnerabilidad de Cross Site Scripting (XSS) a través de /admin/moduleinterface.php, en múltiples parámetros. Esta vulnerabilidad podría permitir a un atacante remoto enviar un payload de JavaScript especialmente manipulado a un usuario autenticado y secuestrar parcialmente su sesión de navegador. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell. Vulnerabilidad de carga de archivos sin restricciones en CMS Made Simple, que afecta a la versión 2.2.14. Esta vulnerabilidad permite a un usuario autenticado eludir las medidas de seguridad de la funcionalidad de carga y potencialmente crear una ejecución remota de comandos a través de webshell. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

Useful Simple Open-Source CMS (USOC) is a content management system (CMS) for programmers. Versions prior to Pb2.4Bfx3 allowed Sql injection in usersearch.php only for users with administrative privileges. Users should replace the file `admin/pages/useredit.php` with a newer version. USOC version Pb2.4Bfx3 contains a fixed version of `admin/pages/useredit.php`. Useful Simple Open-Source CMS (USOC) es un sistema de administración de contenidos (CMS) para programadores. • https://github.com/Aaron-Junker/USOC/commit/c331d26aaab41a7e9e8c1c1a990132dca9d01e10 https://github.com/Aaron-Junker/USOC/releases/tag/Pb2.4Bfx3 https://github.com/Aaron-Junker/USOC/security/advisories/GHSA-557p-hhpc-4wrx • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

USOC is an open source CMS with a focus on simplicity. In affected versions USOC allows for SQL injection via usersearch.php. In search terms provided by the user were not sanitized and were used directly to construct a sql statement. The only users permitted to search are site admins. Users are advised to upgrade as soon as possible. • https://github.com/Aaron-Junker/USOC/commit/06217c66c8f9b114726b21633eabcd88ac9034aa https://github.com/Aaron-Junker/USOC/security/advisories/GHSA-89jg-6fr3-9q4h • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •