Cmsmadesimple: >> Cms Made Simple >> 2.2.15 Security Vulnerabilities
File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.
CVSS Score
7.2
EPSS Score
0.003
Published
2023-05-08
SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php.
CVSS Score
8.8
EPSS Score
0.002
Published
2023-05-08
CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-06-09
Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-04-13
CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.
CVSS Score
7.2
EPSS Score
0.064
Published
2022-02-28
CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage.
CVSS Score
6.1
EPSS Score
0.005
Published
2022-02-28
CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-03-30
CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templating injection in some core modules, resulting in unauthenticated PHP code execution.
CVSS Score
9.8
EPSS Score
0.01
Published
2018-01-02
CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template Injection in some core components, resulting in local file read before 2.2, and local file inclusion since 2.2.1
CVSS Score
7.8
EPSS Score
0.002
Published
2018-01-02
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url parameter to admin/addbookmark.php, (5) the stylesheet_name parameter to admin/copystylesheet.php, (6) the template_name parameter to admin/copytemplate.php, the (7) title or (8) url parameter to admin/editbookmark.php, (9) the template parameter to admin/listtemplates.php, or (10) the css_name parameter to admin/listcss.php, a different issue than CVE-2014-2092.
CVSS Score
3.5
EPSS Score
0.006
Published
2014-03-02
Page 1