Summary
Detail | |||
---|---|---|---|
Vendor | Cmsmadesimple | First view | 2005-07-27 |
Product | Cms Made Simple | Last view | 2023-10-26 |
Version | Type | ||
Update | |||
Edition | |||
Language | |||
Sofware Edition | |||
Target Software | |||
Target Hardware | |||
Other |
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
Related : CVE
Date | Alert | Description | |
---|---|---|---|
7.8 | 2023-10-26 | CVE-2023-43352 | An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component. |
5.4 | 2023-10-25 | CVE-2023-43360 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component. |
5.4 | 2023-10-23 | CVE-2023-43358 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component. |
5.4 | 2023-10-20 | CVE-2023-43357 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component. |
5.4 | 2023-10-20 | CVE-2023-43356 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component. |
5.4 | 2023-10-20 | CVE-2023-43355 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the password and password again parameters in the My Preferences - Add user component. |
5.4 | 2023-10-20 | CVE-2023-43354 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component. |
5.4 | 2023-10-20 | CVE-2023-43353 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component. |
5.4 | 2023-10-19 | CVE-2023-43359 | Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data parameters in the Content Manager Menu component. |
5.4 | 2023-09-28 | CVE-2023-43872 | A File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS). |
6.1 | 2023-09-25 | CVE-2023-43339 | Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components. |
5.4 | 2023-07-06 | CVE-2023-36970 | A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function. |
8.8 | 2023-07-06 | CVE-2023-36969 | CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function. |
8.8 | 2023-05-08 | CVE-2021-28999 | SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php. |
7.2 | 2023-05-08 | CVE-2021-28998 | File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file. |
8.8 | 2022-06-09 | CVE-2021-40961 | CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '. |
6.1 | 2022-04-13 | CVE-2021-43154 | Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php. |
6.1 | 2022-02-28 | CVE-2022-23907 | CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage. |
7.2 | 2022-02-28 | CVE-2022-23906 | CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file. |
5.4 | 2021-09-22 | CVE-2020-23481 | CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field. |
7.5 | 2021-09-17 | CVE-2019-9060 | An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file content (by using that path traversal with m1_prefname set to cg_errormsg and m1_resettodefault=1). |
4.8 | 2021-08-05 | CVE-2020-22732 | CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker.. |
4.8 | 2021-07-26 | CVE-2020-23241 | Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature. |
4.8 | 2021-07-26 | CVE-2020-23240 | Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature. |
5.4 | 2021-07-02 | CVE-2020-36416 | A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
52% (72) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
8% (11) | CWE-200 | Information Exposure |
7% (10) | CWE-434 | Unrestricted Upload of File with Dangerous Type |
5% (7) | CWE-352 | Cross-Site Request Forgery (CSRF) |
4% (6) | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
4% (6) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
4% (6) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
3% (5) | CWE-502 | Deserialization of Untrusted Data |
2% (4) | CWE-732 | Incorrect Permission Assignment for Critical Resource |
1% (2) | CWE-264 | Permissions, Privileges, and Access Controls |
1% (2) | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
0% (1) | CWE-640 | Weak Password Recovery Mechanism for Forgotten Password |
0% (1) | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
0% (1) | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('O... |
0% (1) | CWE-77 | Improper Sanitization of Special Elements used in a Command ('Comma... |
0% (1) | CWE-20 | Improper Input Validation |
CAPEC : Common Attack Pattern Enumeration & Classification
id | Name |
---|---|
CAPEC-21 | Exploitation of Session Variables, Resource IDs and other Trusted Credentials |
CAPEC-31 | Accessing/Intercepting/Modifying HTTP Cookies |
CAPEC-167 | Lifting Sensitive Data from the Client |
Open Source Vulnerability Database (OSVDB)
id | Description |
---|---|
75755 | CMS Made Simple Multiple Script Direct Request Path Disclosure |
73150 | News Module for CMS Made Simple Unspecified Issue |
68617 | CMS Made Simple lib/translation.functions.php default_cms_lang Parameter Trav... |
65369 | CMS Made Simple Add Global Content Module URI XSS |
65368 | CMS Made Simple Edit Global Content Module URI XSS |
65367 | CMS Made Simple Add Article Module URI XSS |
65366 | CMS Made Simple Add Category Module URI XSS |
65365 | CMS Made Simple Add Field Definition Module URI XSS |
65364 | CMS Made Simple Add Shortcut Module URI XSS |
65363 | CMS Made Simple Changes Group Permission Module CSRF |
65362 | CMS Made Simple Add Pages Module URI XSS |
65081 | CMS Made Simple Admin Password Manipulation CSRF |
64606 | CMS Made Simple admin/editprefs.php date_format_string Parameter XSS |
50384 | CMS Made Simple admin/login.php cms_language Cookie Traversal Local File Incl... |
45481 | CMS Made Simple Permission Check Bypass Administrative Function Access |
45480 | CMS Made Simple Unspecified File Upload Privilege Escalation |
42472 | CMS Made Simple Listtags XSS |
42471 | CMS Made Simple Anchor Tag XSS |
41033 | CMS Made Simple Unspecified Direct Request Path Disclosure |
40596 | ADOdb Lite adodb-perf-module.inc.php last_module Parameter Arbitrary Code Exe... |
39788 | CMS Made Simple modules/TinyMCE/content_css.php templateid Parameter SQL Inje... |
35744 | CMS Made Simple stylesheet.php templateid Parameter SQL Injection |
33572 | CMSimple cmsimple/cms.php Multiple Parameter Remote File Inclusion |
33327 | CMS Made Simple User Comment Module User Comment Form XSS |
32976 | CMSsimple mailform Feature sender Parameter XSS |
OpenVAS Exploits
id | Description |
---|---|
2010-07-14 | Name : CMS Made Simple 'default_cms_lang' Parameter Local File Include Vulnerability File : nvt/gb_cms_made_simple_41565.nasl |
2010-05-10 | Name : CMS Made Simple 'admin/editprefs.php' Cross-Site Scripting Vulnerability File : nvt/gb_cms_made_simple_39997.nasl |
2006-03-26 | Name : CMSimple index.php search XSS File : nvt/cmsimple_search_xss.nasl |
Snort® IPS/IDS
Date | Description |
---|---|
2019-05-02 | CMS Made Simple Showtime2 Module arbitrary PHP file upload attempt RuleID : 49635 - Type : SERVER-WEBAPP - Revision : 1 |
2018-11-10 | CMS Made Simple arbitrary PHP file upload attempt RuleID : 48104 - Type : SERVER-WEBAPP - Revision : 1 |
2018-02-03 | CMS Made Simple server side template injection attempt RuleID : 45264 - Type : SERVER-WEBAPP - Revision : 2 |
2018-02-03 | CMS Made Simple server side template injection attempt RuleID : 45263 - Type : SERVER-WEBAPP - Revision : 2 |
2017-12-13 | CMS Made Simple editusertag.php arbitrary PHP code execution attempt RuleID : 44764 - Type : SERVER-WEBAPP - Revision : 2 |
Nessus® Vulnerability Scanner
id | Description |
---|---|
2008-12-01 | Name: The remote web server contains a PHP application that is susceptible to a loc... File: cmsmadesimple_cms_language_file_include.nasl - Type: ACT_ATTACK |
2008-01-02 | Name: The remote web server contains a PHP script that is prone to a SQL injection ... File: cmsmadesimple_templateid_sql_injection.nasl - Type: ACT_ATTACK |
2007-09-24 | Name: The remote web server contains a CGI script that allows arbitrary command exe... File: adodb_lite_last_module_cmd_exec.nasl - Type: ACT_ATTACK |
2005-09-14 | Name: The remote web server is hosting a PHP application that is affected by a cros... File: cmsimple_search_xss.nasl - Type: ACT_ATTACK |
2005-09-01 | Name: The remote web server contains a PHP script that is vulnerable to remote file... File: cmsmadesimple_nls_file_include.nasl - Type: ACT_ATTACK |