Vulnerabilities > Cmsmadesimple > CMS Made Simple > 2.2.7
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-03-26 | CVE-2019-9055 | Deserialization of Untrusted Data vulnerability in Cmsmadesimple CMS Made Simple An issue was discovered in CMS Made Simple 2.2.8. | 8.8 |
| 2019-03-11 | CVE-2019-9693 | SQL Injection vulnerability in Cmsmadesimple CMS Made Simple In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id), _AdjustNameSeq (parameter shownumber), _Updatepicture (parameter picture_id), and _Deletepicture (parameter picture_id). | 8.8 |
| 2019-03-11 | CVE-2019-9692 | Unrestricted Upload of File with Dangerous Type vulnerability in Cmsmadesimple CMS Made Simple class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). | 6.5 |
| 2018-10-12 | CVE-2018-18271 | Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.7 XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action. | 6.1 |
| 2018-10-12 | CVE-2018-18270 | Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.7 XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action. | 6.1 |
| 2018-04-27 | CVE-2018-10523 | Information Exposure vulnerability in Cmsmadesimple CMS Made Simple CMS Made Simple (CMSMS) through 2.2.7 contains a physical path leakage Vulnerability via /modules/DesignManager/action.ajax_get_templates.php, /modules/DesignManager/action.ajax_get_stylesheets.php, /modules/FileManager/dunzip.php, or /modules/FileManager/untgz.php. | 5.3 |
| 2018-04-27 | CVE-2018-10522 | Information Exposure vulnerability in Cmsmadesimple CMS Made Simple In CMS Made Simple (CMSMS) through 2.2.7, the "file view" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by ordinary users, because the product exposes unrestricted access to the PHP file_get_contents function. | 4.9 |
| 2018-04-27 | CVE-2018-10521 | Unrestricted Upload of File with Dangerous Type vulnerability in Cmsmadesimple CMS Made Simple In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in the admin dashboard contains an arbitrary file movement vulnerability that can cause DoS, exploitable by an admin user, because config.php can be moved into an incorrect directory. | 2.7 |
| 2018-04-27 | CVE-2018-10520 | Incorrect Permission Assignment for Critical Resource vulnerability in Cmsmadesimple CMS Made Simple In CMS Made Simple (CMSMS) through 2.2.7, the "module remove" operation in the admin dashboard contains an arbitrary file deletion vulnerability that can cause DoS, exploitable by an admin user, because the attacker can remove all lib/ files in all directories. | 6.5 |
| 2018-04-27 | CVE-2018-10519 | Incorrect Permission Assignment for Critical Resource vulnerability in Cmsmadesimple CMS Made Simple 2.2.7 CMS Made Simple (CMSMS) 2.2.7 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because files in the tmp/ directory are accessible through HTTP requests. | 8.8 |