CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Cmsmadesimple : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-23907 79 XSS 2022-02-28 2022-03-08
4.3
None Remote Medium Not required None Partial None
CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage.
2 CVE-2022-23906 434 Exec Code 2022-02-28 2022-03-08
6.5
None Remote Low ??? Partial Partial Partial
CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.
3 CVE-2021-43154 79 XSS 2022-04-13 2022-04-21
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php.
4 CVE-2021-28935 79 XSS 2021-03-30 2021-06-04
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.
5 CVE-2020-36416 79 XSS 2021-07-02 2021-07-06
3.5
None Remote Medium ??? None Partial None
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module.
6 CVE-2020-36415 79 XSS 2021-07-02 2021-07-06
3.5
None Remote Medium ??? None Partial None
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module.
7 CVE-2020-36414 79 XSS 2021-07-02 2021-07-06
3.5
None Remote Medium ??? None Partial None
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature.
8 CVE-2020-36413 79 XSS 2021-07-02 2021-07-06
3.5
None Remote Medium ??? None Partial None
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Exclude these IP addresses from the "Site Down" status" parameter under the "Maintenance Mode" module.
9 CVE-2020-36412 79 XSS 2021-07-02 2021-07-06
3.5
None Remote Medium ??? None Partial None
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Search Text" field under the "Admin Search" module.
10 CVE-2020-36411 79 XSS 2021-07-02 2021-07-06
3.5
None Remote Medium ??? None Partial None
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Path for the {page_image} tag:" or "Path for thumbnail field:" parameters under the "Content Editing Settings" module.
11 CVE-2020-36410 79 XSS 2021-07-02 2021-07-06
3.5
None Remote Medium ??? None Partial None
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Email address to receive notification of news submission" parameter under the "Options" module.
12 CVE-2020-36409 79 XSS 2021-07-02 2021-07-06
3.5
None Remote Medium ??? None Partial None
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Category" parameter under the "Categories" module.
13 CVE-2020-36408 79 XSS 2021-07-02 2021-07-06
3.5
None Remote Medium ??? None Partial None
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Shortcut" parameter under the "Manage Shortcuts" module.
14 CVE-2020-27377 79 XSS 2021-06-01 2021-06-09
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability was discovered in the Administrator panel on the 'Setting News' module on CMS Made Simple 2.2.14 which allows an attacker to execute arbitrary web scripts.
15 CVE-2020-24860 79 XSS 2020-10-01 2020-10-08
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
16 CVE-2020-23481 79 XSS 2021-09-22 2021-09-28
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field.
17 CVE-2020-23241 79 XSS 2021-07-26 2021-07-30
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature.
18 CVE-2020-23240 79 XSS 2021-07-26 2021-07-30
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.
19 CVE-2020-22842 79 XSS 2020-09-30 2020-10-02
3.5
None Remote Medium ??? None Partial None
CMS Made Simple before 2.2.15 allows XSS via the m1_mod parameter in a ModuleManager local_uninstall action to admin/moduleinterface.php.
20 CVE-2020-22732 79 XSS 2021-08-05 2021-08-11
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker..
21 CVE-2020-20138 79 XSS 2020-12-17 2020-12-18
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) vulnerability in the Showtime2 Slideshow module in CMS Made Simple (CMSMS) 2.2.4.
22 CVE-2020-17462 434 2020-08-14 2020-08-19
6.5
None Remote Low ??? Partial Partial Partial
CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar files, a related issue to CVE-2017-16798.
23 CVE-2020-14926 79 XSS 2020-06-19 2020-06-24
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.14 allows XSS via a Search Term to the admin/moduleinterface.php?mact=ModuleManager page.
24 CVE-2020-13660 79 XSS 2020-05-28 2020-05-29
3.5
None Remote Medium ??? None Partial None
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
25 CVE-2020-10682 434 Exec Code 2020-03-20 2020-03-24
6.8
None Remote Medium Not required Partial Partial Partial
The Filemanager in CMS Made Simple 2.2.13 allows remote code execution via a .php.jpegd JPEG file, as demonstrated by m1_files[] to admin/moduleinterface.php. The file should be sent as application/octet-stream and contain PHP code (it need not be a valid JPEG file).
26 CVE-2020-10681 79 XSS 2020-03-20 2020-03-25
3.5
None Remote Medium ??? None Partial None
The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php.
27 CVE-2019-1010290 601 2019-07-16 2019-07-19
5.8
None Remote Medium Not required Partial Partial None
Babel: Multilingual site Babel All is affected by: Open Redirection. The impact is: Redirection to any URL, which is supplied to redirect.php in a "newurl" parameter. The component is: redirect.php. The attack vector is: The victim must open a link created by an attacker. Attacker may use any legitimate site using Babel to redirect user to a URL of his/her choosing.
28 CVE-2019-17630 79 XSS 2019-10-16 2019-10-16
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen.
29 CVE-2019-17629 79 XSS 2019-10-16 2019-10-16
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen.
30 CVE-2019-17226 79 XSS 2019-10-06 2019-10-08
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field.
31 CVE-2019-11513 79 XSS 2019-04-25 2019-04-27
3.5
None Remote Medium ??? None Partial None
The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action.
32 CVE-2019-11226 79 XSS 2019-06-05 2019-06-05
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.
33 CVE-2019-10107 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section.
34 CVE-2019-10106 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section.
35 CVE-2019-10105 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.
36 CVE-2019-10017 79 XSS 2019-03-24 2019-07-18
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.
37 CVE-2019-9693 89 Sql 2019-03-11 2019-03-12
6.5
None Remote Low ??? Partial Partial Partial
In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id), _AdjustNameSeq (parameter shownumber), _Updatepicture (parameter picture_id), and _Deletepicture (parameter picture_id).
38 CVE-2019-9692 434 2019-03-11 2019-04-02
4.0
None Remote Low ??? None Partial None
class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
39 CVE-2019-9061 502 2019-03-26 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature.
40 CVE-2019-9060 22 Dir. Trav. 2021-09-17 2021-09-28
5.0
None Remote Low Not required Partial None None
An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file content (by using that path traversal with m1_prefname set to cg_errormsg and m1_resettodefault=1).
41 CVE-2019-9059 77 2019-03-26 2019-03-27
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in CMS Made Simple 2.2.8. It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable in Mail Settings, setting "sendmail" in the "Mailer" option, and launching the "Forgot your password" feature.
42 CVE-2019-9058 915 2019-03-26 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection.
43 CVE-2019-9057 502 2019-03-26 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.
44 CVE-2019-9056 502 2019-04-11 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in CMS Made Simple 2.2.8. In the module FrontEndUsers (in the file class.FrontEndUsersManipulate.php or class.FrontEndUsersManipulator.php), it is possible to reach an unserialize call with an untrusted __FEU__ cookie, and achieve authenticated object injection.
45 CVE-2019-9055 502 2019-03-26 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, and achieve object injection.
46 CVE-2019-9053 89 Sql 2019-03-26 2019-04-24
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
47 CVE-2018-1000158 732 2018-04-18 2019-10-03
4.3
None Remote Medium Not required Partial None None
cmsmadesimple version 2.2.7 contains a Incorrect Access Control vulnerability in the function of send_recovery_email in the line "$url = $config['admin_url'] . '/login.php?recoverme=' . $code;" that can result in Administrator Password Reset Poisoning, specifically a reset URL pointing at an attacker controlled server can be created by using a host header attack.
48 CVE-2018-1000094 434 Exec Code 2018-03-13 2019-03-19
6.5
None Remote Low ??? Partial Partial Partial
CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. This attack appear to be exploitable via File upload -> copy to any extension.
49 CVE-2018-1000092 352 CSRF 2018-03-13 2018-04-10
6.8
None Remote Medium Not required Partial Partial Partial
CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6.
50 CVE-2018-20464 79 XSS 2018-12-25 2019-01-10
4.3
None Remote Medium Not required None Partial None
There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user's mailbox with the wrong format. The response contains the user's previously entered email address.
Total number of vulnerabilities : 133   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.