Getsimple Cms
Monthly
GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.
Stored XSS in GetSimpleCMS Community Edition 3.3.16 allows authenticated administrators to inject malicious JavaScript through the component slug field, which persists in XML storage and executes when other users access the Components page. An attacker with admin privileges can exploit this to hijack sessions, perform unauthorized administrative actions, and persistently compromise the CMS interface for all authenticated users. The vulnerability affects PHP-based GetSimpleCMS installations and currently has no available patch.
Arbitrary file read vulnerability in GetSimple CMS affects all versions through its Uploaded Files feature, allowing unauthenticated remote attackers to access sensitive files on affected systems. Public exploit code exists for this vulnerability, and no patch is currently available. The high-severity flaw (CVSS 7.5) poses a significant confidentiality risk to all GetSimple CMS deployments.
Unauthenticated attackers can access sensitive files in GetSimple CMS when Apache's AllowOverride directive is disabled, bypassing .htaccess protections that restrict directory access. This configuration is common in hardened and shared hosting environments, exposing authorization credentials, API keys, and cryptographic salts in files like authorization.xml. Public exploit code exists for this vulnerability, and no patch is currently available.
GetSimple CMS allows authenticated users to upload SVG files containing malicious JavaScript through the administrative interface, which executes in browsers when the files are accessed due to insufficient sanitization. Public exploit code exists for this stored XSS vulnerability, and no patch is currently available, leaving all GetSimple CMS versions at risk.
Arbitrary file upload in GetSimple CMS results from missing CSRF protection on the administrative upload endpoint, allowing an attacker to silently inject files through a malicious webpage visited by an authenticated admin. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker needs only to trick an authenticated user into visiting a crafted page to compromise the application.
GetSimple CMS is a content management system. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.
Stored XSS in GetSimpleCMS Community Edition 3.3.16 allows authenticated administrators to inject malicious JavaScript through the component slug field, which persists in XML storage and executes when other users access the Components page. An attacker with admin privileges can exploit this to hijack sessions, perform unauthorized administrative actions, and persistently compromise the CMS interface for all authenticated users. The vulnerability affects PHP-based GetSimpleCMS installations and currently has no available patch.
Arbitrary file read vulnerability in GetSimple CMS affects all versions through its Uploaded Files feature, allowing unauthenticated remote attackers to access sensitive files on affected systems. Public exploit code exists for this vulnerability, and no patch is currently available. The high-severity flaw (CVSS 7.5) poses a significant confidentiality risk to all GetSimple CMS deployments.
Unauthenticated attackers can access sensitive files in GetSimple CMS when Apache's AllowOverride directive is disabled, bypassing .htaccess protections that restrict directory access. This configuration is common in hardened and shared hosting environments, exposing authorization credentials, API keys, and cryptographic salts in files like authorization.xml. Public exploit code exists for this vulnerability, and no patch is currently available.
GetSimple CMS allows authenticated users to upload SVG files containing malicious JavaScript through the administrative interface, which executes in browsers when the files are accessed due to insufficient sanitization. Public exploit code exists for this stored XSS vulnerability, and no patch is currently available, leaving all GetSimple CMS versions at risk.
Arbitrary file upload in GetSimple CMS results from missing CSRF protection on the administrative upload endpoint, allowing an attacker to silently inject files through a malicious webpage visited by an authenticated admin. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker needs only to trick an authenticated user into visiting a crafted page to compromise the application.
GetSimple CMS is a content management system. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.