cbcvebase.

Get-Simple Getsimple Cms vulnerabilities

25 known vulnerabilities affecting get-simple/getsimple_cms.

Total CVEs
25
CISA KEV
0
Public exploits
8
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM19LOW2

Vulnerabilities

Page 1 of 2
CVE-2019-11231P1CRITICALCVSS 9.8PoC≤ 3.3.152019-05-22
CVE-2019-11231 [CRITICAL] CWE-22 CVE-2019-11231: An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme- An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be bypassed. According to the official documentation for installation step 10,
nvd
CVE-2022-41544P2CRITICALCVSS 9.8PoCv3.3.162022-10-18
CVE-2022-41544 [CRITICAL] CWE-94 CVE-2022-41544: GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.
nvd
CVE-2014-8722P3HIGHCVSS 7.5PoCv3.3.42017-03-17
CVE-2014-8722 [HIGH] CWE-200 CVE-2014-8722: GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/.xml, (2) backups/users/.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml.
nvd
CVE-2020-23839P3MEDIUMCVSS 6.1PoCv3.3.162020-09-01
CVE-2020-23839 [MEDIUM] CWE-79 CVE-2020-23839: A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.ph A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials, and submits the login form.
nvd
CVE-2018-9173P4MEDIUMCVSS 6.1PoCv3.3.132018-04-02
CVE-2018-9173 [MEDIUM] CWE-79 CVE-2018-9173: Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple C Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter.
nvd
CVE-2010-4863P4MEDIUMCVSS 4.3PoCv2.012011-10-05
CVE-2010-4863 [MEDIUM] CWE-79 CVE-2010-4863: Cross-site scripting (XSS) vulnerability in admin/changedata.php in GetSimple CMS 2.01 allows remote Cross-site scripting (XSS) vulnerability in admin/changedata.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the post-title parameter.
nvd
CVE-2014-1603P4MEDIUMCVSS 4.3PoCv3.3.12014-05-14
CVE-2014-1603 [MEDIUM] CWE-79 CVE-2014-1603: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.3.1 allow remote attackers to Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) param parameter to admin/load.php or (2) user, (3) email, or (4) name parameter in a Save Settings action to admin/settings.php.
nvd
CVE-2010-5052P4MEDIUMCVSS 4.3PoCv2.012011-11-23
CVE-2010-5052 [MEDIUM] CWE-79 CVE-2010-5052: Cross-site scripting (XSS) vulnerability in admin/components.php in GetSimple CMS 2.01 allows remote Cross-site scripting (XSS) vulnerability in admin/components.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the val[] parameter.
nvd
CVE-2018-17103P3HIGHCVSS 8.8v3.3.132018-09-16
CVE-2018-17103 [HIGH] CWE-352 CVE-2018-17103: An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter
nvd
CVE-2014-8790P4MEDIUMCVSS 5.0v3.1.1v3.1.2+7 more2015-01-20
CVE-2014-8790 [MEDIUM] CVE-2014-8790: XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.
nvd
CVE-2013-1420P4MEDIUMCVSS 6.1fixed in 3.2.12020-01-02
CVE-2013-1420 [MEDIUM] CVE-2013-1420: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attac Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to filebrowser.php in admin/. NOTE: the path parameter in admin/upload.php vector is alre
nvd
CVE-2018-19845P4MEDIUMCVSS 5.4v3.3.122018-12-31
CVE-2018-19845 [MEDIUM] CVE-2018-19845: There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325.
nvd
CVE-2018-16325P4MEDIUMCVSS 6.1v3.4.0.92018-09-01
CVE-2018-16325 [MEDIUM] CWE-79 CVE-2018-16325: There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field. There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field.
nvd
CVE-2017-10673P4MEDIUMCVSS 6.1v3.0v3.1+9 more2017-06-29
CVE-2017-10673 [MEDIUM] CWE-79 CVE-2017-10673: admin/profile.php in GetSimple CMS 3.x has XSS in a name field. admin/profile.php in GetSimple CMS 3.x has XSS in a name field.
nvd
CVE-2020-24861P4MEDIUMCVSS 5.4v3.3.162020-10-01
CVE-2020-24861 [MEDIUM] CWE-79 CVE-2020-24861: GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scri GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
nvd
CVE-2019-16333P4MEDIUMCVSS 5.4v3.3.152019-09-15
CVE-2019-16333 [MEDIUM] CWE-79 CVE-2019-16333: GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php. GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
nvd
CVE-2018-17835P4MEDIUMCVSS 4.8v3.3.152018-10-01
CVE-2018-17835 [MEDIUM] CWE-79 CVE-2018-17835: An issue was discovered in GetSimple CMS 3.3.15. An administrator can insert stored XSS via the admi An issue was discovered in GetSimple CMS 3.3.15. An administrator can insert stored XSS via the admin/settings.php Custom Permalink Structure parameter, which injects the XSS payload into any page created at the admin/pages.php URI.
nvd
CVE-2013-7243P4MEDIUMCVSS 4.3v3.1.2v3.2.32014-01-17
CVE-2013-7243 [MEDIUM] CVE-2013-7243: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.1.2 and 3.2.3 allow remote at Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.1.2 and 3.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) post-menu field to edit.php or (2) Display name field to settings.php. NOTE: The Custom Permalink Structure and Email Address fields are already covered by CVE-2012-6621.
nvd
CVE-2015-5355P4MEDIUMCVSS 4.3≤ 3.3.22015-07-01
CVE-2015-5355 [MEDIUM] CWE-79 CVE-2015-5355: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 allow remote attac Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post-content or (2) post-title parameter to admin/edit.php.
nvd
CVE-2015-5356P4MEDIUMCVSS 4.3≤ 3.3.22015-07-01
CVE-2015-5356 [MEDIUM] CWE-79 CVE-2015-5356: Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in GetSimple CMS before 3.3.6 allo Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in GetSimple CMS before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the func parameter.
nvd
Get-Simple Getsimple Cms vulnerabilities | cvebase