Cmsmadesimple » Cms Made Simple : Security Vulnerabilities, CVEs, (Information Leak)
CMS Made Simple (CMSMS) through 2.2.7 contains a physical path leakage Vulnerability via /modules/DesignManager/action.ajax_get_templates.php, /modules/DesignManager/action.ajax_get_stylesheets.php, /modules/FileManager/dunzip.php, or /modules/FileManager/untgz.php.
Max CVSS
5.3
EPSS Score
0.09%
Published
2018-04-27
Updated
2018-05-24
In CMS Made Simple (CMSMS) through 2.2.7, the "file view" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by ordinary users, because the product exposes unrestricted access to the PHP file_get_contents function.
Max CVSS
4.9
EPSS Score
0.07%
Published
2018-04-27
Updated
2018-05-24
In CMS Made Simple (CMSMS) through 2.2.7, the "file rename" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by an admin user, that can cause DoS by moving config.php to the upload/ directory.
Max CVSS
6.5
EPSS Score
0.08%
Published
2018-04-27
Updated
2018-05-24
CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task.php.
Max CVSS
5.3
EPSS Score
0.09%
Published
2018-04-13
Updated
2018-04-13
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies.
Max CVSS
9.8
EPSS Score
0.18%
Published
2017-12-18
Updated
2018-01-04
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions.
Max CVSS
9.8
EPSS Score
0.18%
Published
2017-12-18
Updated
2018-01-04
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via defaultadmin.
Max CVSS
5.3
EPSS Score
0.24%
Published
2017-02-21
Updated
2017-02-23
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via exportxml.
Max CVSS
5.3
EPSS Score
0.24%
Published
2017-02-21
Updated
2020-05-05
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to execute PHP code via the cntnt01fbrp_forma_form_template parameter in admin_store_form.
Max CVSS
9.8
EPSS Score
0.94%
Published
2017-02-21
Updated
2017-02-23
CMS Made Simple (CMSMS) 1.9.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/TinyMCE/TinyMCE.module.php and certain other files. NOTE: this might overlap CVE-2007-5444.
Max CVSS
5.0
EPSS Score
0.29%
Published
2011-09-23
Updated
2012-03-13
CMS Made Simple 1.1.3.1 allows remote attackers to obtain the full path via a direct request for unspecified files.
Max CVSS
5.0
EPSS Score
0.40%
Published
2007-10-14
Updated
2018-10-15
11 vulnerabilities found