Cmsmadesimple » Cms Made Simple : Security Vulnerabilities, CVEs, Published In 2017 (XSS)
Cross-site scripting (XSS) vulnerability in /admin/moduleinterface.php in CMS Made Simple 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the m1_description parameter (aka "Design Manager > Categories > Category Description").
Max CVSS
5.4
EPSS Score
0.07%
Published
2017-03-09
Updated
2017-03-18
Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the "adminpage > sitesetting > General Settings > globalmetadata" field.
Max CVSS
5.4
EPSS Score
0.07%
Published
2017-03-09
Updated
2017-03-18
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_title parameter. Someone must login to conduct the attack.
Max CVSS
5.4
EPSS Score
0.06%
Published
2017-03-24
Updated
2017-04-05
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_summary parameter. Someone must login to conduct the attack.
Max CVSS
5.4
EPSS Score
0.06%
Published
2017-03-24
Updated
2017-03-31
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_content parameter. Someone must login to conduct the attack.
Max CVSS
5.4
EPSS Score
0.06%
Published
2017-03-24
Updated
2017-03-31
In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user group, there is no XSS filtering, resulting in storage-type XSS generation, via the description parameter in an addgroup action.
Max CVSS
6.1
EPSS Score
0.08%
Published
2017-06-18
Updated
2017-06-22
In CMS Made Simple 2.2.2, there is Reflected XSS via the cntnt01detailtemplate parameter.
Max CVSS
6.1
EPSS Score
0.09%
Published
2017-11-10
Updated
2017-11-22
In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .phtml, .pht, .html, or .svg.
Max CVSS
5.4
EPSS Score
0.07%
Published
2017-11-12
Updated
2019-11-21
8 vulnerabilities found