|Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')|
|Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')|
|Vulnerability||Severity Score||Release Date||Summary|
|CVE-2012-1992||4.3||April 11, 2012||
Cross-site scripting (XSS) vulnerability in admin/edituser.php in CMS Made Simple 1.10.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the email parameter (aka the Email Address field in the Edit User template).
|CVE-2012-6064||3.5||Dec. 3, 2012||
Directory traversal vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) before 18.104.22.168 allows remote authenticated administrators to delete arbitrary files via a .. (dot dot) in the deld parameter. NOTE: this can be leveraged using CSRF (CVE-2012-5450) to allow remote attackers to delete arbitrary files.
|CVE-2012-5450||6.8||Dec. 3, 2012||
Cross-site request forgery (CSRF) vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) 1.11.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deld parameter.
|CVE-2016-2784||2.6||May 26, 2016||
CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a request.