CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Cmsmadesimple » Cms Made Simple : Security Vulnerabilities (Cross Site Scripting (XSS))

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-28935 79 XSS 2021-03-30 2021-06-04
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.
2 CVE-2020-27377 79 XSS 2021-06-01 2021-06-09
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability was discovered in the Administrator panel on the 'Setting News' module on CMS Made Simple 2.2.14 which allows an attacker to execute arbitrary web scripts.
3 CVE-2020-24860 79 XSS 2020-10-01 2020-10-08
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
4 CVE-2020-22842 79 XSS 2020-09-30 2020-10-02
3.5
None Remote Medium ??? None Partial None
CMS Made Simple before 2.2.15 allows XSS via the m1_mod parameter in a ModuleManager local_uninstall action to admin/moduleinterface.php.
5 CVE-2020-20138 79 XSS 2020-12-17 2020-12-18
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) vulnerability in the Showtime2 Slideshow module in CMS Made Simple (CMSMS) 2.2.4.
6 CVE-2020-14926 79 XSS 2020-06-19 2020-06-24
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.14 allows XSS via a Search Term to the admin/moduleinterface.php?mact=ModuleManager page.
7 CVE-2020-13660 79 XSS 2020-05-28 2020-05-29
3.5
None Remote Medium ??? None Partial None
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
8 CVE-2020-10681 79 XSS 2020-03-20 2020-03-25
3.5
None Remote Medium ??? None Partial None
The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php.
9 CVE-2019-17630 79 XSS 2019-10-16 2019-10-16
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen.
10 CVE-2019-17629 79 XSS 2019-10-16 2019-10-16
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen.
11 CVE-2019-17226 79 XSS 2019-10-06 2019-10-08
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field.
12 CVE-2019-11513 79 XSS 2019-04-25 2019-04-27
3.5
None Remote Medium ??? None Partial None
The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action.
13 CVE-2019-11226 79 XSS 2019-06-05 2019-06-05
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.
14 CVE-2019-10107 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section.
15 CVE-2019-10106 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section.
16 CVE-2019-10105 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.
17 CVE-2019-10017 79 XSS 2019-03-24 2019-07-18
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.
18 CVE-2018-20464 79 XSS 2018-12-25 2019-01-10
4.3
None Remote Medium Not required None Partial None
There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user's mailbox with the wrong format. The response contains the user's previously entered email address.
19 CVE-2018-19597 79 XSS 2018-12-19 2019-02-26
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.
20 CVE-2018-18271 79 XSS 2018-10-12 2018-11-28
4.3
None Remote Medium Not required None Partial None
XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.
21 CVE-2018-18270 79 XSS 2018-10-12 2018-11-28
4.3
None Remote Medium Not required None Partial None
XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.
22 CVE-2018-10033 79 XSS 2018-04-11 2018-04-13
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (aka CMSMS) 2.2.7 has Stored XSS in admin/siteprefs.php via the metadata parameter.
23 CVE-2018-10032 79 XSS 2018-04-11 2018-04-13
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter.
24 CVE-2018-10029 79 XSS 2018-04-11 2018-04-13
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799.
25 CVE-2018-8058 79 XSS 2018-03-12 2018-03-29
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.6 has XSS in admin/moduleinterface.php via the pagedata parameter.
26 CVE-2018-7893 79 XSS 2018-03-12 2018-03-29
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.6 has stored XSS in admin/moduleinterface.php via the metadata parameter.
27 CVE-2018-5965 79 XSS 2018-01-25 2018-02-07
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter.
28 CVE-2018-5964 79 XSS 2018-01-25 2018-02-07
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter.
29 CVE-2018-5963 79 XSS 2018-01-25 2018-02-07
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter.
30 CVE-2017-16798 79 XSS Bypass 2017-11-12 2019-11-21
3.5
None Remote Medium ??? None Partial None
In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .phtml, .pht, .html, or .svg.
31 CVE-2017-16784 79 XSS 2017-11-10 2017-11-22
4.3
None Remote Medium Not required None Partial None
In CMS Made Simple 2.2.2, there is Reflected XSS via the cntnt01detailtemplate parameter.
32 CVE-2017-9668 79 XSS 2017-06-18 2017-06-22
4.3
None Remote Medium Not required None Partial None
In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user group, there is no XSS filtering, resulting in storage-type XSS generation, via the description parameter in an addgroup action.
33 CVE-2017-7257 79 XSS 2017-03-24 2017-03-31
3.5
None Remote Medium ??? None Partial None
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_content parameter. Someone must login to conduct the attack.
34 CVE-2017-7256 79 XSS 2017-03-24 2017-03-31
3.5
None Remote Medium ??? None Partial None
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_summary parameter. Someone must login to conduct the attack.
35 CVE-2017-7255 79 XSS 2017-03-24 2017-04-05
3.5
None Remote Medium ??? None Partial None
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_title parameter. Someone must login to conduct the attack.
36 CVE-2017-6556 79 XSS 2017-03-09 2017-03-18
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the "adminpage > sitesetting > General Settings > globalmetadata" field.
37 CVE-2017-6555 79 XSS 2017-03-09 2017-03-18
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in /admin/moduleinterface.php in CMS Made Simple 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the m1_description parameter (aka "Design Manager > Categories > Category Description").
38 CVE-2016-2784 79 XSS 2016-05-26 2018-10-09
2.6
None Remote High Not required None Partial None
CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a request.
39 CVE-2014-2092 79 XSS 2014-03-02 2015-08-13
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in lib/filemanager/ImageManager/editorFrame.php in CMS Made Simple 1.11.10 allows remote attackers to inject arbitrary web script or HTML via the action parameter, a different issue than CVE-2014-0334. NOTE: the original disclosure also reported issues that may not cross privilege boundaries.
40 CVE-2014-0334 79 XSS 2014-03-02 2015-07-24
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url parameter to admin/addbookmark.php, (5) the stylesheet_name parameter to admin/copystylesheet.php, (6) the template_name parameter to admin/copytemplate.php, the (7) title or (8) url parameter to admin/editbookmark.php, (9) the template parameter to admin/listtemplates.php, or (10) the css_name parameter to admin/listcss.php, a different issue than CVE-2014-2092.
41 CVE-2013-4167 79 XSS 2013-10-11 2013-10-15
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) before 1.11.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
42 CVE-2013-3929 79 XSS 2013-12-09 2013-12-10
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in admin/editevent.php in CMS Made Simple (CMSMS) 1.11.9 allows remote authenticated users with the "Modify Events" permission to inject arbitrary web script or HTML via the handler parameter.
43 CVE-2012-1992 79 XSS 2012-04-11 2012-11-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin/edituser.php in CMS Made Simple 1.10.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the email parameter (aka the Email Address field in the Edit User template).
44 CVE-2010-3882 79 XSS 2010-10-08 2010-10-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple 1.7.1 and earlier allow remote attackers to inject arbitrary web script or HTML via input to the (1) Add Pages, (2) Add Global Content, (3) Edit Global Content, (4) Add Article, (5) Add Category, (6) Add Field Definition, or (7) Add Shortcut module.
45 CVE-2010-1482 79 XSS 2010-05-12 2010-05-13
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin/editprefs.php in the backend in CMS Made Simple (CMSMS) before 1.7.1 might allow remote attackers to inject arbitrary web script or HTML via the date_format_string parameter.
46 CVE-2007-5443 79 XSS 2007-10-14 2018-10-15
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple 1.1.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) the anchor tag and (2) listtags.
47 CVE-2007-0610 XSS 2007-01-31 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the mailform feature in CMSimple 2.7 fix1 allows remote attackers to inject arbitrary web script or HTML via the sender parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
48 CVE-2006-6845 XSS 2006-12-31 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the cntnt01searchinput parameter in a Search action.
49 CVE-2006-6844 XSS 2006-12-31 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the optional user comment module in CMS Made Simple 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the user comment form.
50 CVE-2005-3083 XSS 2005-09-27 2016-10-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 0.10 allows remote attackers to inject arbitrary web script or HTML via the page parameter.
Total number of vulnerabilities : 51   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.