SB2018041819 - Multiple vulnerabilities in cmsmadesimple CMS Made Simple

Description

This security bulletin contains information about 3 vulnerabilities.

1) Incorrect permission assignment for critical resource (CVE-ID: CVE-2018-10519)

The vulnerability allows a remote authenticated user to execute arbitrary code.

CMS Made Simple (CMSMS) 2.2.7 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because files in the tmp/ directory are accessible through HTTP requests. NOTE: this vulnerability exists because of an incorrect fix for CVE-2018-10084.

2) Path traversal (CVE-ID: CVE-2018-9921)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In CMS Made Simple 2.2.7, a Directory Traversal issue makes it possible to determine the existence of files and directories outside the web-site installation directory, and determine whether a file has contents matching a specified checksum. The attack uses an admin/checksum.php?__c= request.

3) Incorrect permission assignment for critical resource (CVE-ID: CVE-2018-1000158)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

cmsmadesimple version 2.2.7 contains a Incorrect Access Control vulnerability in the function of send_recovery_email in the line "$url = $config['admin_url'] . '/login.php?recoverme=' . $code;" that can result in Administrator Password Reset Poisoning, specifically a reset URL pointing at an attacker controlled server can be created by using a host header attack.

Remediation

Install update from vendor's website.

References

• https://github.com/itodaro/cmsms_cve/blob/master/README.md
• https://gist.github.com/0xn1k5/ef4c7c7a26c7d8a803ef3a85f1000c98
• http://dev.cmsmadesimple.org/bug/view/11762