2024

2023

2022

2021

2020

2019

2018

CVE-2018-10516 (v3: 6.5) 27 Apr 2018
In CMS Made Simple (CMSMS) through 2.2.7, the "file rename" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by an admin user, that can cause DoS by moving config.php to the upload/ directory.
CVE-2018-10522 (v3: 4.9) 27 Apr 2018
In CMS Made Simple (CMSMS) through 2.2.7, the "file view" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by ordinary users, because the product exposes unrestricted access to the PHP file_get_contents function.
CVE-2018-10523 (v3: 5.3) 27 Apr 2018
CMS Made Simple (CMSMS) through 2.2.7 contains a physical path leakage Vulnerability via /modules/DesignManager/action.ajax_get_templates.php, /modules/DesignManager/action.ajax_get_stylesheets.php, /modules/FileManager/dunzip.php, or /modules/FileManager/untgz.php.
CVE-2018-10082 (v3: 5.3) 13 Apr 2018
CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task.php.

2017

CVE-2017-17734 (v3: 9.8) 18 Dec 2017
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions.
CVE-2017-17735 (v3: 9.8) 18 Dec 2017
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies.
CVE-2017-6070 (v3: 9.8) 21 Feb 2017
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to execute PHP code via the cntnt01fbrp_forma_form_template parameter in admin_store_form.
CVE-2017-6071 (v3: 5.3) 21 Feb 2017
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via exportxml.
CVE-2017-6072 (v3: 5.3) 21 Feb 2017
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via defaultadmin.

2016

2015