XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_summary parameter. Someone must login to conduct the attack.

XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_content parameter. Someone must login to conduct the attack.

XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_title parameter. Someone must login to conduct the attack.

In CMS Made Simple 2.2.3.1, in modules/New/action.addcategory.php, stored XSS is possible via the m1_name parameter to admin/moduleinterface.php during addition of a category, a related issue to CVE-2010-3882.

In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .phtml, .pht, .html, or .svg.

CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.

A File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS).

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data parameters in the Content Manager Menu component.

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the password and password again parameters in the My Preferences - Add user component.

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component.

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component.

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component.

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component.

CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen.

CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field.

CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen.

CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.

CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section.

CMS Made Simple (CMSMS) 2.2.6 has stored XSS in admin/moduleinterface.php via the metadata parameter.

CMS Made Simple (CMSMS) 2.2.6 has XSS in admin/moduleinterface.php via the pagedata parameter.

A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function.

CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter.

CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter.

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Search Text" field under the "Admin Search" module.

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module.

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature.

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Email address to receive notification of news submission" parameter under the "Options" module.

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module.

CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker..

CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter.

CMS Made Simple (aka CMSMS) 2.2.7 has Stored XSS in admin/siteprefs.php via the metadata parameter.

CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.

The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action.

CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section.

CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.

CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter.

The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php.

CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.

CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799.

Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.

Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature.

CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field.

Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the "adminpage > sitesetting > General Settings > globalmetadata" field.

Cross-site scripting (XSS) vulnerability in /admin/moduleinterface.php in CMS Made Simple 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the m1_description parameter (aka "Design Manager > Categories > Category Description").

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component.

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.

CMS Made Simple 2.2.14 allows XSS via a Search Term to the admin/moduleinterface.php?mact=ModuleManager page.

A cross-site scripting (XSS) vulnerability was discovered in the Administrator panel on the 'Setting News' module on CMS Made Simple 2.2.14 which allows an attacker to execute arbitrary web scripts.