This article is a part of our Vulnerability Database (back to index)
Cross-site Scripting occurrences in Cms Made Simple
Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php. (2022-04-13, CVE-2021-43154)
CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage. (2022-02-28, CVE-2022-23907)
CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field. (2021-09-22, CVE-2020-23481)
CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker.. (2021-08-05, CVE-2020-22732)
Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature. (2021-07-26, CVE-2020-23241)
Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature. (2021-07-26, CVE-2020-23240)
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Category" parameter under the "Categories" module. (2021-07-02, CVE-2020-36409)
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Shortcut" parameter under the "Manage Shortcuts" module. (2021-07-02, CVE-2020-36408)
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module. (2021-07-02, CVE-2020-36416)
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module. (2021-07-02, CVE-2020-36415)
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Email address to receive notification of news submission" parameter under the "Options" module. (2021-07-02, CVE-2020-36410)
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Exclude these IP addresses from the "Site Down" status" parameter under the "Maintenance Mode" module. (2021-07-02, CVE-2020-36413)
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Path for the {page_image} tag:" or "Path for thumbnail field:" parameters under the "Content Editing Settings" module. (2021-07-02, CVE-2020-36411)
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Search Text" field under the "Admin Search" module. (2021-07-02, CVE-2020-36412)
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature. (2021-07-02, CVE-2020-36414)
A cross-site scripting (XSS) vulnerability was discovered in the Administrator panel on the 'Setting News' module on CMS Made Simple 2.2.14 which allows an attacker to execute arbitrary web scripts. (2021-06-01, CVE-2020-27377)
CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field. (2021-03-30, CVE-2021-28935)
Cross Site Scripting (XSS) vulnerability in the Showtime2 Slideshow module in CMS Made Simple (CMSMS) 2.2.4. (2020-12-17, CVE-2020-20138)
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website. (2020-10-01, CVE-2020-24860)
CMS Made Simple before 2.2.15 allows XSS via the m1_mod parameter in a ModuleManager local_uninstall action to admin/moduleinterface.php. (2020-09-30, CVE-2020-22842)
CMS Made Simple 2.2.14 allows XSS via a Search Term to the admin/moduleinterface.php?mact=ModuleManager page. (2020-06-19, CVE-2020-14926)
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name. (2020-05-28, CVE-2020-13660)
The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php. (2020-03-20, CVE-2020-10681)
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen. (2019-10-16, CVE-2019-17629)
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen. (2019-10-16, CVE-2019-17630)
CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field. (2019-10-06, CVE-2019-17226)
CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News. (2019-06-05, CVE-2019-11226)
The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action. (2019-04-25, CVE-2019-11513)
CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager. (2019-03-26, CVE-2019-10105)
CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section. (2019-03-26, CVE-2019-10106)
CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section. (2019-03-26, CVE-2019-10107)
CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker. (2019-03-24, CVE-2019-10017)
There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user's mailbox with the wrong format. The response contains the user's previously entered email address. (2018-12-25, CVE-2018-20464)
CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798. (2018-12-19, CVE-2018-19597)
XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action. (2018-10-12, CVE-2018-18271)
XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action. (2018-10-12, CVE-2018-18270)
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799. (2018-04-11, CVE-2018-10029)
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter. (2018-04-11, CVE-2018-10032)
CMS Made Simple (aka CMSMS) 2.2.7 has Stored XSS in admin/siteprefs.php via the metadata parameter. (2018-04-11, CVE-2018-10033)
CMS Made Simple (CMSMS) 2.2.6 has stored XSS in admin/moduleinterface.php via the metadata parameter. (2018-03-12, CVE-2018-7893)
CMS Made Simple (CMSMS) 2.2.6 has XSS in admin/moduleinterface.php via the pagedata parameter. (2018-03-12, CVE-2018-8058)
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter. (2018-01-25, CVE-2018-5963)
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter. (2018-01-25, CVE-2018-5965)
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter. (2018-01-25, CVE-2018-5964)
Why Cross-site Scripting can be dangerous
Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.
The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:
https://server.com/confirmation?message=Transaction+Complete
what results in:
<span>Confirmation: Transaction Complete</span>
In that case the message can be modified to become a valid Javascript code, e.g.:
https://server.com/confirmation?message=<script>dangerous javascript code here</script>
and it will be executed locally by the user's browser with full access to the user's personal application/browser data:
<span>Confirmation: <script>dangerous javascript code here</script></span>