Summary
| Detail | |||
|---|---|---|---|
| Vendor | Cmsmadesimple | First view | 2005-07-27 |
| Product | Cms Made Simple | Last view | 2023-10-26 |
| Version | Type | ||
| Update | |||
| Edition | |||
| Language | |||
| Sofware Edition | |||
| Target Software | |||
| Target Hardware | |||
| Other | |||
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 7.8 | 2023-10-26 | CVE-2023-43352 | An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component. |
| 5.4 | 2023-10-25 | CVE-2023-43360 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component. |
| 5.4 | 2023-10-23 | CVE-2023-43358 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component. |
| 5.4 | 2023-10-20 | CVE-2023-43357 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component. |
| 5.4 | 2023-10-20 | CVE-2023-43356 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component. |
| 5.4 | 2023-10-20 | CVE-2023-43355 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the password and password again parameters in the My Preferences - Add user component. |
| 5.4 | 2023-10-20 | CVE-2023-43354 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component. |
| 5.4 | 2023-10-20 | CVE-2023-43353 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component. |
| 5.4 | 2023-10-19 | CVE-2023-43359 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data parameters in the Content Manager Menu component. |
| 5.4 | 2023-09-28 | CVE-2023-43872 | A File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS). |
| 6.1 | 2023-09-25 | CVE-2023-43339 | Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components. |
| 5.4 | 2023-07-06 | CVE-2023-36970 | A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function. |
| 8.8 | 2023-07-06 | CVE-2023-36969 | CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function. |
| 8.8 | 2023-05-08 | CVE-2021-28999 | SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php. |
| 7.2 | 2023-05-08 | CVE-2021-28998 | File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file. |
| 8.8 | 2022-06-09 | CVE-2021-40961 | CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '. |
| 6.1 | 2022-04-13 | CVE-2021-43154 | Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php. |
| 6.1 | 2022-02-28 | CVE-2022-23907 | CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage. |
| 7.2 | 2022-02-28 | CVE-2022-23906 | CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file. |
| 5.4 | 2021-09-22 | CVE-2020-23481 | CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field. |
| 7.5 | 2021-09-17 | CVE-2019-9060 | An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file content (by using that path traversal with m1_prefname set to cg_errormsg and m1_resettodefault=1). |
| 4.8 | 2021-08-05 | CVE-2020-22732 | CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker.. |
| 4.8 | 2021-07-26 | CVE-2020-23241 | Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature. |
| 4.8 | 2021-07-26 | CVE-2020-23240 | Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature. |
| 5.4 | 2021-07-02 | CVE-2020-36416 | A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 52% (72) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| 8% (11) | CWE-200 | Information Exposure |
| 7% (10) | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| 5% (7) | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 4% (6) | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
| 4% (6) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
| 4% (6) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
| 3% (5) | CWE-502 | Deserialization of Untrusted Data |
| 2% (4) | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| 1% (2) | CWE-264 | Permissions, Privileges, and Access Controls |
| 1% (2) | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
| 0% (1) | CWE-640 | Weak Password Recovery Mechanism for Forgotten Password |
| 0% (1) | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| 0% (1) | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('O... |
| 0% (1) | CWE-77 | Improper Sanitization of Special Elements used in a Command ('Comma... |
| 0% (1) | CWE-20 | Improper Input Validation |
CAPEC : Common Attack Pattern Enumeration & Classification
| id | Name |
|---|---|
| CAPEC-21 | Exploitation of Session Variables, Resource IDs and other Trusted Credentials |
| CAPEC-31 | Accessing/Intercepting/Modifying HTTP Cookies |
| CAPEC-167 | Lifting Sensitive Data from the Client |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 75755 | CMS Made Simple Multiple Script Direct Request Path Disclosure |
| 73150 | News Module for CMS Made Simple Unspecified Issue |
| 68617 | CMS Made Simple lib/translation.functions.php default_cms_lang Parameter Trav... |
| 65369 | CMS Made Simple Add Global Content Module URI XSS |
| 65368 | CMS Made Simple Edit Global Content Module URI XSS |
| 65367 | CMS Made Simple Add Article Module URI XSS |
| 65366 | CMS Made Simple Add Category Module URI XSS |
| 65365 | CMS Made Simple Add Field Definition Module URI XSS |
| 65364 | CMS Made Simple Add Shortcut Module URI XSS |
| 65363 | CMS Made Simple Changes Group Permission Module CSRF |
| 65362 | CMS Made Simple Add Pages Module URI XSS |
| 65081 | CMS Made Simple Admin Password Manipulation CSRF |
| 64606 | CMS Made Simple admin/editprefs.php date_format_string Parameter XSS |
| 50384 | CMS Made Simple admin/login.php cms_language Cookie Traversal Local File Incl... |
| 45481 | CMS Made Simple Permission Check Bypass Administrative Function Access |
| 45480 | CMS Made Simple Unspecified File Upload Privilege Escalation |
| 42472 | CMS Made Simple Listtags XSS |
| 42471 | CMS Made Simple Anchor Tag XSS |
| 41033 | CMS Made Simple Unspecified Direct Request Path Disclosure |
| 40596 | ADOdb Lite adodb-perf-module.inc.php last_module Parameter Arbitrary Code Exe... |
| 39788 | CMS Made Simple modules/TinyMCE/content_css.php templateid Parameter SQL Inje... |
| 35744 | CMS Made Simple stylesheet.php templateid Parameter SQL Injection |
| 33572 | CMSimple cmsimple/cms.php Multiple Parameter Remote File Inclusion |
| 33327 | CMS Made Simple User Comment Module User Comment Form XSS |
| 32976 | CMSsimple mailform Feature sender Parameter XSS |
OpenVAS Exploits
| id | Description |
|---|---|
| 2010-07-14 | Name : CMS Made Simple 'default_cms_lang' Parameter Local File Include Vulnerability File : nvt/gb_cms_made_simple_41565.nasl |
| 2010-05-10 | Name : CMS Made Simple 'admin/editprefs.php' Cross-Site Scripting Vulnerability File : nvt/gb_cms_made_simple_39997.nasl |
| 2006-03-26 | Name : CMSimple index.php search XSS File : nvt/cmsimple_search_xss.nasl |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2019-05-02 | CMS Made Simple Showtime2 Module arbitrary PHP file upload attempt RuleID : 49635 - Type : SERVER-WEBAPP - Revision : 1 |
| 2018-11-10 | CMS Made Simple arbitrary PHP file upload attempt RuleID : 48104 - Type : SERVER-WEBAPP - Revision : 1 |
| 2018-02-03 | CMS Made Simple server side template injection attempt RuleID : 45264 - Type : SERVER-WEBAPP - Revision : 2 |
| 2018-02-03 | CMS Made Simple server side template injection attempt RuleID : 45263 - Type : SERVER-WEBAPP - Revision : 2 |
| 2017-12-13 | CMS Made Simple editusertag.php arbitrary PHP code execution attempt RuleID : 44764 - Type : SERVER-WEBAPP - Revision : 2 |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2008-12-01 | Name: The remote web server contains a PHP application that is susceptible to a loc... File: cmsmadesimple_cms_language_file_include.nasl - Type: ACT_ATTACK |
| 2008-01-02 | Name: The remote web server contains a PHP script that is prone to a SQL injection ... File: cmsmadesimple_templateid_sql_injection.nasl - Type: ACT_ATTACK |
| 2007-09-24 | Name: The remote web server contains a CGI script that allows arbitrary command exe... File: adodb_lite_last_module_cmd_exec.nasl - Type: ACT_ATTACK |
| 2005-09-14 | Name: The remote web server is hosting a PHP application that is affected by a cros... File: cmsimple_search_xss.nasl - Type: ACT_ATTACK |
| 2005-09-01 | Name: The remote web server contains a PHP script that is vulnerable to remote file... File: cmsmadesimple_nls_file_include.nasl - Type: ACT_ATTACK |
