CVE-2024-1528
Cross-site Scripting in CMS Made Simple
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.
CMS Made Simple versión 2.2.14 no codifica suficientemente la entrada controlada por el usuario, lo que genera una vulnerabilidad de Cross Site Scripting (XSS) a través de /admin/moduleinterface.php, en múltiples parámetros. Esta vulnerabilidad podría permitir a un atacante remoto enviar un payload de JavaScript especialmente manipulado a un usuario autenticado y secuestrar parcialmente su sesión de navegador.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-15 CVE Reserved
- 2024-03-12 CVE Published
- 2024-03-13 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
- CAPEC-63: Cross-Site Scripting (XSS)
References (1)
| URL | Tag | Source |
|---|---|---|
| https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| CMS Made Simple Search vendor "CMS Made Simple" | CMS Made Simple Search vendor "CMS Made Simple" for product "CMS Made Simple" | 2.2.14 Search vendor "CMS Made Simple" for product "CMS Made Simple" and version "2.2.14" | en |
Affected
| ||||||