Cmsmadesimple Cms Made Simple vulnerabilities
153 known vulnerabilities affecting cmsmadesimple/cms_made_simple.
Total CVEs
153
CISA KEV
0
Public exploits
19
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH40MEDIUM101LOW4
Vulnerabilities
Page 3 of 8
CVE-2020-17462P3HIGHCVSS 7.8v2.2.142020-08-14
CVE-2020-17462 [HIGH] CVE-2020-17462: CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not
CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar files, a related issue to CVE-2017-16798.
nvd
CVE-2019-9059P3HIGHCVSS 7.2≤ 2.2.82019-03-26
CVE-2019-9059 [HIGH] CWE-77 CVE-2019-9059: An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to
An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password" feature.
nvd
CVE-2018-10515P3HIGHCVSS 7.2≤ 2.2.72018-04-27
CVE-2018-10515 [HIGH] CWE-94 CVE-2018-10515: In CMS Made Simple (CMSMS) through 2.2.7, the "file unpack" operation in the admin dashboard contain
In CMS Made Simple (CMSMS) through 2.2.7, the "file unpack" operation in the admin dashboard contains a remote code execution vulnerability exploitable by an admin user because a .php file can be present in the extracted ZIP archive.
nvd
CVE-2020-10682P3HIGHCVSS 7.8v2.2.132020-03-20
CVE-2020-10682 [HIGH] CWE-434 CVE-2020-10682: The Filemanager in CMS Made Simple 2.2.13 allows remote code execution via a .php.jpegd JPEG file, a
The Filemanager in CMS Made Simple 2.2.13 allows remote code execution via a .php.jpegd JPEG file, as demonstrated by m1_files[] to admin/moduleinterface.php. The file should be sent as application/octet-stream and contain PHP code (it need not be a valid JPEG file).
nvd
CVE-2023-43352P3HIGHCVSS 7.8v2.2.182023-10-26
CVE-2023-43352 [HIGH] CWE-94 CVE-2023-43352: An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted p
An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component.
nvd
CVE-2017-17735P3CRITICALCVSS 9.8fixed in 2.2.52017-12-18
CVE-2017-17735 [CRITICAL] CWE-200 CVE-2017-17735: CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies.
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies.
nvd
CVE-2005-3083P4MEDIUMCVSS 4.3PoCv0.102005-09-27
CVE-2005-3083 [MEDIUM] CVE-2005-3083: Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 0.10 allows remote attacker
Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 0.10 allows remote attackers to inject arbitrary web script or HTML via the page parameter.
nvd
CVE-2017-17734P4CRITICALCVSS 9.8fixed in 2.2.52017-12-18
CVE-2017-17734 [CRITICAL] CWE-200 CVE-2017-17734: CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions.
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions.
nvd
CVE-2019-9058P3HIGHCVSS 7.2≤ 2.2.82019-03-26
CVE-2019-9058 [HIGH] CWE-1321 CVE-2019-9058: An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.ph
An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection.
nvd
CVE-2017-1000454P4HIGHCVSS 7.8fixed in 2.2≥ 2.2.12018-01-02
CVE-2017-1000454 [HIGH] CWE-74 CVE-2017-1000454: CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template Injection in some core component
CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template Injection in some core components, resulting in local file read before 2.2, and local file inclusion since 2.2.1
nvd
CVE-2018-1000092P4HIGHCVSS 8.8v2.2.52018-03-13
CVE-2018-1000092 [HIGH] CWE-352 CVE-2018-1000092: CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in
CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6.
nvd
CVE-2020-37238P4MEDIUMCVSS 6.4v2.2.152026-05-16
CVE-2020-37238 [MEDIUM] CWE-79 CVE-2020-37238: CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticate
CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enablin
nvd
CVE-2016-7904P4HIGHCVSS 8.0≤ 2.1.52017-01-16
CVE-2016-7904 [HIGH] CWE-352 CVE-2016-7904: Cross-site request forgery (CSRF) vulnerability in CMS Made Simple before 2.1.6 allows remote attack
Cross-site request forgery (CSRF) vulnerability in CMS Made Simple before 2.1.6 allows remote attackers to hijack the authentication of administrators for requests that create accounts via an admin/adduser.php request.
nvd
CVE-2018-10031P4HIGHCVSS 8.8≤ 2.2.72018-04-11
CVE-2018-10031 [HIGH] CWE-352 CVE-2018-10031: CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php.
CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php.
nvd
CVE-2018-10030P4HIGHCVSS 8.8≤ 2.2.72018-04-11
CVE-2018-10030 [HIGH] CWE-352 CVE-2018-10030: CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php.
CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php.
nvd
CVE-2007-0551P4HIGHCVSS 7.5v2.72007-01-29
CVE-2007-0551 [HIGH] CVE-2007-0551: Multiple PHP remote file inclusion vulnerabilities in cmsimple/cms.php in CMSimple 2.7 allow remote
Multiple PHP remote file inclusion vulnerabilities in cmsimple/cms.php in CMSimple 2.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) pth[file][config] and (2) pth[file][image] parameters.
nvd
CVE-2018-10518P4MEDIUMCVSS 6.5≤ 2.2.72018-04-27
CVE-2018-10518 [MEDIUM] CWE-732 CVE-2018-10518: In CMS Made Simple (CMSMS) through 2.2.7, the "file delete" operation in the admin dashboard contain
In CMS Made Simple (CMSMS) through 2.2.7, the "file delete" operation in the admin dashboard contains an arbitrary file deletion vulnerability that can cause DoS, exploitable by an admin user, because the attacker can remove all lib/ files in all directories.
nvd
CVE-2018-10520P4MEDIUMCVSS 6.5≤ 2.2.72018-04-27
CVE-2018-10520 [MEDIUM] CWE-732 CVE-2018-10520: In CMS Made Simple (CMSMS) through 2.2.7, the "module remove" operation in the admin dashboard conta
In CMS Made Simple (CMSMS) through 2.2.7, the "module remove" operation in the admin dashboard contains an arbitrary file deletion vulnerability that can cause DoS, exploitable by an admin user, because the attacker can remove all lib/ files in all directories.
nvd
CVE-2014-2245P4MEDIUMCVSS 6.0≤ 1.11.9v0.1+62 more2014-03-05
CVE-2014-2245 [MEDIUM] CWE-89 CVE-2014-2245: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remo
SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information.
nvd
CVE-2010-4663P4CRITICALCVSS 10.0≤ 1.9v0.1+75 more2011-06-08
CVE-2010-4663 [CRITICAL] CVE-2010-4663: Unspecified vulnerability in the News module in CMS Made Simple (CMSMS) before 1.9.1 has unknown imp
Unspecified vulnerability in the News module in CMS Made Simple (CMSMS) before 1.9.1 has unknown impact and attack vectors.
nvd