Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Cms_made_simple
(Cmsmadesimple)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 151 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-11-12 | CVE-2017-16798 | In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .phtml, .pht, .html, or .svg. | Cms_made_simple | N/A | ||
| 2019-03-26 | CVE-2019-9055 | An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, and achieve object injection. | Cms_made_simple | 8.8 | ||
| 2019-10-16 | CVE-2019-17630 | CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen. | Cms_made_simple | N/A | ||
| 2019-10-16 | CVE-2019-17629 | CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen. | Cms_made_simple | N/A | ||
| 2019-10-06 | CVE-2019-17226 | CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field. | Cms_made_simple | N/A | ||
| 2017-07-18 | CVE-2017-11405 | In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/moduleinterface.php in which type=image is changed to type=file. | Cms_made_simple | 4.9 | ||
| 2017-07-18 | CVE-2017-11404 | In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php. | Cms_made_simple | 4.9 | ||
| 2019-03-24 | CVE-2019-10017 | CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker. | Cms_made_simple | 5.4 | ||
| 2019-06-05 | CVE-2019-11226 | CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News. | Cms_made_simple | 5.4 | ||
| 2019-04-25 | CVE-2019-11513 | The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action. | Cms_made_simple | 4.8 |