Shodan
Vulnerabilities
Vulnerable Software
Cmsmadesimple:  >> Cms Made Simple  >> 0.12.1  Security Vulnerabilities
CVE-2021-28998
File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.
CVSS Score
7.2
EPSS Score
0.003
Published
2023-05-08
CVE-2021-28999
SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php.
CVSS Score
8.8
EPSS Score
0.002
Published
2023-05-08
CVE-2021-40961
CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-06-09
CVE-2020-22842
CMS Made Simple before 2.2.15 allows XSS via the m1_mod parameter in a ModuleManager local_uninstall action to admin/moduleinterface.php.
CVSS Score
5.4
EPSS Score
0.004
Published
2020-09-30
CVE-2020-13660
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
CVSS Score
4.8
EPSS Score
0.003
Published
2020-05-28
CVE-2011-4310
The news module in CMSMS before 1.9.4.3 allows remote attackers to corrupt new articles.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-11-26
CVE-2019-11513
The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action.
CVSS Score
4.8
EPSS Score
0.003
Published
2019-04-25
CVE-2019-9055
An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, and achieve object injection.
CVSS Score
8.8
EPSS Score
0.312
Published
2019-03-26
CVE-2019-9057
An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.
CVSS Score
8.8
EPSS Score
0.008
Published
2019-03-26
CVE-2019-9058
An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection.
CVSS Score
7.2
EPSS Score
0.011
Published
2019-03-26


Products
Pricing
Contact Us

Shodan ® - All rights reserved