An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature.

An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.

CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.

In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id), _AdjustNameSeq (parameter shownumber), _Updatepicture (parameter picture_id), and _Deletepicture (parameter picture_id).

There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user's mailbox with the wrong format. The response contains the user's previously entered email address.

CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.

XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.

XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.

In CMS Made Simple (CMSMS) through 2.2.7, the "file delete" operation in the admin dashboard contains an arbitrary file deletion vulnerability that can cause DoS, exploitable by an admin user, because the attacker can remove all lib/ files in all directories.

In CMS Made Simple (CMSMS) through 2.2.7, the "file unpack" operation in the admin dashboard contains a remote code execution vulnerability exploitable by an admin user because a .php file can be present in the extracted ZIP archive.