Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Cmsmadesimple Subscribe
Filtered by product Cms Made Simple
Total 132 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-9693 1 Cmsmadesimple 1 Cms Made Simple 2019-03-12 6.5 MEDIUM 8.8 HIGH
In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id), _AdjustNameSeq (parameter shownumber), _Updatepicture (parameter picture_id), and _Deletepicture (parameter picture_id).
CVE-2018-19597 1 Cmsmadesimple 1 Cms Made Simple 2019-02-26 3.5 LOW 4.8 MEDIUM
CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.
CVE-2018-20464 1 Cmsmadesimple 1 Cms Made Simple 2019-01-10 4.3 MEDIUM 6.1 MEDIUM
There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user's mailbox with the wrong format. The response contains the user's previously entered email address.
CVE-2018-18270 1 Cmsmadesimple 1 Cms Made Simple 2018-11-28 4.3 MEDIUM 6.1 MEDIUM
XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.
CVE-2018-18271 1 Cmsmadesimple 1 Cms Made Simple 2018-11-28 4.3 MEDIUM 6.1 MEDIUM
XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.
CVE-2010-3884 1 Cmsmadesimple 1 Cms Made Simple 2018-11-27 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2005-2392 1 Cmsmadesimple 1 Cms Made Simple 2018-10-19 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in index.php for CMSimple 2.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in the search function.
CVE-2006-6845 1 Cmsmadesimple 1 Cms Made Simple 2018-10-17 6.8 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the cntnt01searchinput parameter in a Search action.
CVE-2006-6844 1 Cmsmadesimple 1 Cms Made Simple 2018-10-17 6.8 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the optional user comment module in CMS Made Simple 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the user comment form.
CVE-2007-0551 1 Cmsmadesimple 1 Cms Made Simple 2018-10-16 7.5 HIGH N/A
Multiple PHP remote file inclusion vulnerabilities in cmsimple/cms.php in CMSimple 2.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) pth[file][config] and (2) pth[file][image] parameters.
CVE-2007-5443 1 Cmsmadesimple 1 Cms Made Simple 2018-10-15 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple 1.1.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) the anchor tag and (2) listtags.
CVE-2007-5444 1 Cmsmadesimple 1 Cms Made Simple 2018-10-15 5.0 MEDIUM N/A
CMS Made Simple 1.1.3.1 allows remote attackers to obtain the full path via a direct request for unspecified files.
CVE-2007-5441 1 Cmsmadesimple 1 Cms Made Simple 2018-10-15 6.5 MEDIUM N/A
CMS Made Simple 1.1.3.1 does not check the permissions assigned to users in some situations, which allows remote authenticated users to perform some administrative actions, as demonstrated by (1) adding a user via a direct request to admin/adduser.php and (2) reading the admin log via an "admin/adminlog.php?page=1" request.
CVE-2007-5442 1 Cmsmadesimple 1 Cms Made Simple 2018-10-15 3.5 LOW N/A
CMS Made Simple 1.1.3.1 does not check the permissions assigned to users who attempt uploads, which allows remote authenticated users to upload unspecified files via unknown vectors.
CVE-2016-2784 1 Cmsmadesimple 1 Cms Made Simple 2018-10-09 2.6 LOW 4.7 MEDIUM
CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a request.
CVE-2018-9921 1 Cmsmadesimple 1 Cms Made Simple 2018-05-25 5.0 MEDIUM 5.3 MEDIUM
In CMS Made Simple 2.2.7, a Directory Traversal issue makes it possible to determine the existence of files and directories outside the web-site installation directory, and determine whether a file has contents matching a specified checksum. The attack uses an admin/checksum.php?__c= request.
CVE-2018-10516 1 Cmsmadesimple 1 Cms Made Simple 2018-05-24 5.5 MEDIUM 6.5 MEDIUM
In CMS Made Simple (CMSMS) through 2.2.7, the "file rename" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by an admin user, that can cause DoS by moving config.php to the upload/ directory.
CVE-2018-10515 1 Cmsmadesimple 1 Cms Made Simple 2018-05-24 6.5 MEDIUM 7.2 HIGH
In CMS Made Simple (CMSMS) through 2.2.7, the "file unpack" operation in the admin dashboard contains a remote code execution vulnerability exploitable by an admin user because a .php file can be present in the extracted ZIP archive.
CVE-2018-10521 1 Cmsmadesimple 1 Cms Made Simple 2018-05-24 4.0 MEDIUM 2.7 LOW
In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in the admin dashboard contains an arbitrary file movement vulnerability that can cause DoS, exploitable by an admin user, because config.php can be moved into an incorrect directory.
CVE-2018-10522 1 Cmsmadesimple 1 Cms Made Simple 2018-05-24 4.0 MEDIUM 4.9 MEDIUM
In CMS Made Simple (CMSMS) through 2.2.7, the "file view" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by ordinary users, because the product exposes unrestricted access to the PHP file_get_contents function.