Cmsmadesimple Cms Made Simple vulnerabilities
153 known vulnerabilities affecting cmsmadesimple/cms_made_simple.
Total CVEs
153
CISA KEV
0
Public exploits
19
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH40MEDIUM101LOW4
Vulnerabilities
Page 1 of 8
CVE-2023-36969P2HIGHCVSS 8.8PoCv2.2.172023-07-06
CVE-2023-36969 [HIGH] CWE-434 CVE-2023-36969: CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.
CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.
nvd
CVE-2019-9053P2HIGHCVSS 8.1PoCv2.2.82019-03-26
CVE-2019-9053 [HIGH] CWE-89 CVE-2019-9053: An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a cra
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
nvd
CVE-2018-1000094P2HIGHCVSS 7.2PoCv2.2.52018-03-13
CVE-2018-1000094 [HIGH] CWE-434 CVE-2018-1000094: CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that ca
CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. This attack appear to be exploitable via File upload -> copy to any extension.
nvd
CVE-2017-16783P2CRITICALCVSS 9.8PoCv2.1.62017-11-10
CVE-2017-16783 [CRITICAL] CWE-94 CVE-2017-16783: In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate para
In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter.
nvd
CVE-2019-9055P2HIGHCVSS 8.8PoC≤ 2.2.82019-03-26
CVE-2019-9055 [HIGH] CWE-502 CVE-2019-9055: An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.a
An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, and achieve object injection.
nvd
CVE-2019-9692P3MEDIUMCVSS 6.5PoCfixed in 2.2.102019-03-11
CVE-2019-9692 [MEDIUM] CWE-434 CVE-2019-9692: class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark
class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
nvd
CVE-2018-7448P2HIGHCVSS 7.5PoCv2.1.62018-02-26
CVE-2018-7448 [HIGH] CWE-78 CVE-2018-7448: Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version
Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.
nvd
CVE-2018-10517P3HIGHCVSS 7.2PoC≤ 2.2.72018-04-27
CVE-2018-10517 [HIGH] CWE-94 CVE-2018-10517: In CMS Made Simple (CMSMS) through 2.2.7, the "module import" operation in the admin dashboard conta
In CMS Made Simple (CMSMS) through 2.2.7, the "module import" operation in the admin dashboard contains a remote code execution vulnerability, exploitable by an admin user, because an XML Package can contain base64-encoded PHP code in a data element.
nvd
CVE-2017-8912P3HIGHCVSS 7.2PoCv2.1.62017-05-12
CVE-2017-8912 [HIGH] CWE-94 CVE-2017-8912: CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP co
CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is "a feature, not a bug.
nvd
CVE-2007-2473P3HIGHCVSS 7.5PoC≤ 1.0.52007-05-02
CVE-2007-2473 [HIGH] CVE-2007-2473: SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote att
SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.
nvd
CVE-2005-2846P3HIGHCVSS 7.5PoCv0.102005-09-08
CVE-2005-2846 [HIGH] CVE-2005-2846: PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remot
PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter.
nvd
CVE-2007-6656P3HIGHCVSS 7.5PoC≤ 1.2.22008-01-04
CVE-2007-6656 [HIGH] CWE-89 CVE-2007-6656: SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and e
SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.
nvd
CVE-2008-5642P3MEDIUMCVSS 5.0PoCv1.4.12008-12-17
CVE-2008-5642 [MEDIUM] CWE-22 CVE-2008-5642: Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attacker
Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie.
nvd
CVE-2018-10085P3CRITICALCVSS 9.8≤ 2.2.62018-04-13
CVE-2018-10085 [CRITICAL] CWE-502 CVE-2018-10085: CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in
CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in the _get_data function of \lib\classes\internal\class.LoginOperations.php. By sending a crafted cookie, a remote attacker can upload and execute code, or delete files.
nvd
CVE-2017-1000453P3CRITICALCVSS 9.8fixed in 2.2≥ 2.2.12018-01-02
CVE-2017-1000453 [CRITICAL] CWE-74 CVE-2017-1000453: CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templating injection in some core mod
CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templating injection in some core modules, resulting in unauthenticated PHP code execution.
nvd
CVE-2021-40961P3HIGHCVSS 8.8≤ 2.2.152022-06-09
CVE-2021-40961 [HIGH] CWE-89 CVE-2021-40961: CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php
CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '.
nvd
CVE-2021-28999P3HIGHCVSS 8.8≤ 2.2.152023-05-08
CVE-2021-28999 [HIGH] CWE-89 CVE-2021-28999: SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arb
SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php.
nvd
CVE-2024-1527P3HIGHCVSS 8.8v2.2.142024-03-12
CVE-2024-1527 [HIGH] CWE-434 CVE-2024-1527: Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerabil
Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell.
nvd
CVE-2024-27622P3HIGHCVSS 7.2v2.2.19v2.2.212024-03-05
CVE-2024-27622 [HIGH] CWE-75 CVE-2024-27622: A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Mad
A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code
nvd
CVE-2017-6070P3CRITICALCVSS 9.8≤ 1.12.22017-02-21
CVE-2017-6070 [CRITICAL] CWE-200 CVE-2017-6070: CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to execute P
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to execute PHP code via the cntnt01fbrp_forma_form_template parameter in admin_store_form.
nvd
1 / 8Next →