Cmsmadesimple » Cms Made Simple : Security Vulnerabilities, CVEs, CVSS score >= 3
Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially take over their browser session.
Max CVSS
7.4
EPSS Score
0.04%
Published
2024-03-12
Updated
2024-03-12
CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.
Max CVSS
7.4
EPSS Score
0.04%
Published
2024-03-12
Updated
2024-03-12
Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell.
Max CVSS
9.8
EPSS Score
0.04%
Published
2024-03-12
Updated
2024-03-12
A File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS).
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-09-28
Updated
2023-10-30
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.
Max CVSS
5.4
EPSS Score
N/A
Published
2023-10-25
Updated
2023-10-30
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data parameters in the Content Manager Menu component.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-10-19
Updated
2023-10-30
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-10-23
Updated
2023-10-30
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-10-20
Updated
2023-10-25
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-10-20
Updated
2023-10-25
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the password and password again parameters in the My Preferences - Add user component.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-10-20
Updated
2023-10-25
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-10-20
Updated
2023-10-25
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-10-20
Updated
2023-10-25
Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components.
Max CVSS
6.1
EPSS Score
0.09%
Published
2023-09-25
Updated
2023-11-08
A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-07-06
Updated
2023-07-11
CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-07-06
Updated
2023-07-12
CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage.
Max CVSS
6.1
EPSS Score
0.08%
Published
2022-02-28
Updated
2022-03-08
CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.
Max CVSS
7.2
EPSS Score
0.22%
Published
2022-02-28
Updated
2022-03-08
Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php.
Max CVSS
6.1
EPSS Score
0.07%
Published
2022-04-13
Updated
2022-04-21
CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '.
Max CVSS
8.8
EPSS Score
0.33%
Published
2022-06-09
Updated
2023-02-06
SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php.
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-05-08
Updated
2023-05-15
File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.
Max CVSS
7.2
EPSS Score
0.09%
Published
2023-05-08
Updated
2023-05-12
CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.
Max CVSS
5.4
EPSS Score
0.10%
Published
2021-03-30
Updated
2021-06-04
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module.
Max CVSS
5.4
EPSS Score
0.06%
Published
2021-07-02
Updated
2021-07-06
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module.
Max CVSS
5.4
EPSS Score
0.06%
Published
2021-07-02
Updated
2021-07-06
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature.
Max CVSS
5.4
EPSS Score
0.06%
Published
2021-07-02
Updated
2021-07-06