SB2016052607 - Cross-site scripting in cmsmadesimple CMS Made Simple
Published: May 26, 2016 Updated: August 9, 2020
Security Bulletin ID
SB2016052607
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2016-2784)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a request.
Remediation
Install update from vendor's website.
References
- http://packetstormsecurity.com/files/136897/CMS-Made-Simple-Cache-Poisoning.html
- http://seclists.org/fulldisclosure/2016/May/15
- http://www.cmsmadesimple.org/2016/03/Announcing-CMSMS-1-12-2-kolonia/
- http://www.cmsmadesimple.org/2016/04/Announcing-CMSMS-2-1-3-Black-Point/
- http://www.securityfocus.com/archive/1/538272/100/0/threaded
- https://www.exploit-db.com/exploits/39760/