Vulnerabilities > Cmsmadesimple > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-27 | CVE-2018-10515 | Code Injection vulnerability in Cmsmadesimple CMS Made Simple In CMS Made Simple (CMSMS) through 2.2.7, the "file unpack" operation in the admin dashboard contains a remote code execution vulnerability exploitable by an admin user because a .php file can be present in the extracted ZIP archive. | 7.2 |
| 2018-04-18 | CVE-2018-1000158 | Incorrect Permission Assignment for Critical Resource vulnerability in Cmsmadesimple CMS Made Simple 2.2.7 cmsmadesimple version 2.2.7 contains a Incorrect Access Control vulnerability in the function of send_recovery_email in the line "$url = $config['admin_url'] . | 8.8 |
| 2018-04-13 | CVE-2018-10086 | Code Injection vulnerability in Cmsmadesimple CMS Made Simple CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary code execution vulnerability in the admin dashboard because the implementation uses "eval('function testfunction'.rand()" and it is possible to bypass certain restrictions on these "testfunction" functions. | 7.2 |
| 2018-04-13 | CVE-2018-10084 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Cmsmadesimple CMS Made Simple CMS Made Simple (CMSMS) through 2.2.6 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because an SHA-1 cryptographic protection mechanism can be bypassed. | 8.8 |
| 2018-04-13 | CVE-2018-10083 | Path Traversal vulnerability in Cmsmadesimple CMS Made Simple CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary file deletion vulnerability in the admin dashboard via directory traversal sequences in the val parameter within a cmd=del request, because code under modules\FilePicker does not restrict the val parameter. | 7.5 |
| 2018-04-11 | CVE-2018-10031 | Cross-Site Request Forgery (CSRF) vulnerability in Cmsmadesimple CMS Made Simple CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php. | 8.8 |
| 2018-04-11 | CVE-2018-10030 | Cross-Site Request Forgery (CSRF) vulnerability in Cmsmadesimple CMS Made Simple CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php. | 8.8 |
| 2018-03-13 | CVE-2018-1000092 | Cross-Site Request Forgery (CSRF) vulnerability in Cmsmadesimple CMS Made Simple 2.2.5 CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. | 8.8 |
| 2018-03-13 | CVE-2018-1000094 | Unrestricted Upload of File with Dangerous Type vulnerability in Cmsmadesimple CMS Made Simple 2.2.5 CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. | 7.2 |
| 2018-02-26 | CVE-2018-7448 | OS Command Injection vulnerability in Cmsmadesimple CMS Made Simple 2.1.6 Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure. | 7.5 |