Cmsmadesimple Cms Made Simple vulnerabilities
153 known vulnerabilities affecting cmsmadesimple/cms_made_simple.
Total CVEs
153
CISA KEV
0
Public exploits
19
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH40MEDIUM101LOW4
Vulnerabilities
Page 4 of 8
CVE-2012-5450P4MEDIUMCVSS 6.8≤ 1.11.2v0.1+82 more2012-12-03
CVE-2012-5450 [MEDIUM] CWE-352 CVE-2012-5450: Cross-site request forgery (CSRF) vulnerability in lib/filemanager/imagemanager/images.php in CMS Ma
Cross-site request forgery (CSRF) vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) 1.11.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deld parameter.
nvd
CVE-2018-9921P4MEDIUMCVSS 5.3v2.2.72018-04-23
CVE-2018-9921 [MEDIUM] CWE-22 CVE-2018-9921: In CMS Made Simple 2.2.7, a Directory Traversal issue makes it possible to determine the existence o
In CMS Made Simple 2.2.7, a Directory Traversal issue makes it possible to determine the existence of files and directories outside the web-site installation directory, and determine whether a file has contents matching a specified checksum. The attack uses an admin/checksum.php?__c= request.
nvd
CVE-2018-10516P4MEDIUMCVSS 6.5≤ 2.2.72018-04-27
CVE-2018-10516 [MEDIUM] CWE-200 CVE-2018-10516: In CMS Made Simple (CMSMS) through 2.2.7, the "file rename" operation in the admin dashboard contain
In CMS Made Simple (CMSMS) through 2.2.7, the "file rename" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by an admin user, that can cause DoS by moving config.php to the upload/ directory.
nvd
CVE-2024-27623P4MEDIUMCVSS 5.9v2.2.192024-03-05
CVE-2024-27623 [MEDIUM] CWE-1336 CVE-2024-27623: CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). The vulnerabi
CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). The vulnerability exists within the Design Manager, particularly when editing the Breadcrumbs.
nvd
CVE-2020-20138P4MEDIUMCVSS 6.1v2.2.42020-12-17
CVE-2020-20138 [MEDIUM] CWE-79 CVE-2020-20138: Cross Site Scripting (XSS) vulnerability in the Showtime2 Slideshow module in CMS Made Simple (CMSMS
Cross Site Scripting (XSS) vulnerability in the Showtime2 Slideshow module in CMS Made Simple (CMSMS) 2.2.4.
nvd
CVE-2010-3883P4MEDIUMCVSS 6.8≤ 1.7.1v0.10+48 more2010-10-08
CVE-2010-3883 [MEDIUM] CWE-352 CVE-2010-3883: Cross-site request forgery (CSRF) vulnerability in the Change Group Permissions module in CMS Made S
Cross-site request forgery (CSRF) vulnerability in the Change Group Permissions module in CMS Made Simple 1.7.1 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that make permission modifications.
nvd
CVE-2023-43339P4MEDIUMCVSS 6.1v2.2.182023-09-25
CVE-2023-43339 [MEDIUM] CWE-79 CVE-2023-43339: Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execut
Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components.
nvd
CVE-2024-1529P4MEDIUMCVSS 6.1v2.2.142024-03-12
CVE-2024-1529 [MEDIUM] CWE-79 CVE-2024-1529: Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, r
Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially take over th
nvd
CVE-2017-6071P4MEDIUMCVSS 5.3≤ 1.12.22017-02-21
CVE-2017-6071 [MEDIUM] CWE-200 CVE-2017-6071: CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct i
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via exportxml.
nvd
CVE-2017-6072P4MEDIUMCVSS 5.3≤ 1.12.22017-02-21
CVE-2017-6072 [MEDIUM] CWE-200 CVE-2017-6072: CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct i
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via defaultadmin.
nvd
CVE-2018-10082P4MEDIUMCVSS 5.3≤ 2.2.72018-04-13
CVE-2018-10082 [MEDIUM] CWE-200 CVE-2018-10082: CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= v
CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task.php.
nvd
CVE-2018-10523P4MEDIUMCVSS 5.3≤ 2.2.72018-04-27
CVE-2018-10523 [MEDIUM] CWE-200 CVE-2018-10523: CMS Made Simple (CMSMS) through 2.2.7 contains a physical path leakage Vulnerability via /modules/De
CMS Made Simple (CMSMS) through 2.2.7 contains a physical path leakage Vulnerability via /modules/DesignManager/action.ajax_get_templates.php, /modules/DesignManager/action.ajax_get_stylesheets.php, /modules/FileManager/dunzip.php, or /modules/FileManager/untgz.php.
nvd
CVE-2017-16798P4MEDIUMCVSS 5.4v2.2.3.12017-11-12
CVE-2017-16798 [MEDIUM] CWE-79 CVE-2017-16798: In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php
In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .phtml, .pht, .html, or .svg.
nvd
CVE-2023-43872P4MEDIUMCVSS 5.4v2.2.182023-09-28
CVE-2023-43872 [MEDIUM] CWE-79 CVE-2023-43872: A File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file w
A File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS).
nvd
CVE-2017-11405P4MEDIUMCVSS 4.9v2.2.22017-07-18
CVE-2017-11405 [MEDIUM] CWE-434 CVE-2017-11405: In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a C
In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/moduleinterface.php in which type=image is changed to type=file.
nvd
CVE-2024-1528P4MEDIUMCVSS 6.1v2.2.142024-03-12
CVE-2024-1528 [MEDIUM] CWE-79 CVE-2024-1528: CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a C
CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially hijack their browse
nvd
CVE-2019-11226P4MEDIUMCVSS 5.4v2.2.102019-06-05
CVE-2019-11226 [MEDIUM] CWE-79 CVE-2019-11226: CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content M
CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.
nvd
CVE-2019-10105P4MEDIUMCVSS 5.4v2.2.102019-03-26
CVE-2019-10105 [MEDIUM] CWE-79 CVE-2019-10105: CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, whic
CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.
nvd
CVE-2020-10681P4MEDIUMCVSS 5.4v2.2.132020-03-20
CVE-2020-10681 [MEDIUM] CWE-79 CVE-2020-10681: The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_file
The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php.
nvd
CVE-2023-43360P4MEDIUMCVSS 5.4v2.2.182023-10-25
CVE-2023-43360 [MEDIUM] CWE-79 CVE-2023-43360: Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbi
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.
nvd