Multiple vulnerabilities in CMS Made Simple
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 8 |
| CVE-ID | CVE-2019-9053 CVE-2019-9055 CVE-2019-9056 CVE-2019-9693 CVE-2019-9061 CVE-2019-9059 CVE-2019-9058 CVE-2019-9057 |
| CWE-ID | CWE-89 CWE-502 CWE-94 CWE-77 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Vulnerability #2 is being exploited in the wild. |
| Vulnerable software |
CMS Made Simple Web applications / CMS |
| Vendor | cmsmadesimple.org |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
1) SQL injection
EUVDB-ID: #VU21604
Risk: High
CVSSv4.0: 8.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-9053
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "m1_idlist" parameter. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall update from vendor's website.
Vulnerable software versionsCMS Made Simple: 0.1 - 2.7
CPE2.3- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2.1:*:*:*:*:*:*:*
https://packetstormsecurity.com/files/152356/CMS-Made-Simple-SQL-Injection.html
https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Deserialization of Untrusted Data
EUVDB-ID: #VU21613
Risk: High
CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2019-9055
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in the "DesignManager" module in the "action.admin_bulk_css.php" and "action.admin_bulk_template.php" files. A remote authenticated attacker with Designer permission can reach an unserialize call with a crafted value in the "m1_allparms" parameter and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCMS Made Simple: 0.1 - 2.7
CPE2.3- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2.1:*:*:*:*:*:*:*
https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
3) Deserialization of Untrusted Data
EUVDB-ID: #VU21612
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-9056
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in the "FrontEndUsers" module in the "class.FrontEndUsersManipulate.php" or "class.FrontEndUsersManipulator.php" file. A remote authenticated attacker can pass specially crafted data with an untrusted "__FEU__" cookie to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCMS Made Simple: 0.1 - 2.7
CPE2.3- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2.1:*:*:*:*:*:*:*
https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) SQL injection
EUVDB-ID: #VU21611
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-9693
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists in the "class.showtime2_data.php" file due to insufficient sanitization of user-supplied data passed via the "_updateshow" (parameter show_id), "_inputshow" (parameter show_id), "_Getshowinfo" (parameter show_id), "_Getpictureinfo" (parameter picture_id), "_AdjustNameSeq" (parameter shownumber), "_Updatepicture" (parameter picture_id), and "_Deletepicture" (parameter picture_id) functions. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall update from vendor's website.
Vulnerable software versionsCMS Made Simple: 0.1 - 2.7
CPE2.3- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2.1:*:*:*:*:*:*:*
https://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_data.php&rev=47
https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Code Injection
EUVDB-ID: #VU21608
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-9061
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the "ModuleManager" module in the "action.installmodule.php" file. A remote authenticated attacker can send a specially crafted request and execute arbitrary code using the "install module" feature on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCMS Made Simple: 0.1 - 2.7
CPE2.3- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2.1:*:*:*:*:*:*:*
https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Command Injection
EUVDB-ID: #VU21607
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-9059
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionInstall updates from vendor's website.
Vulnerable software versionsCMS Made Simple: 0.1 - 2.7
CPE2.3- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2.1:*:*:*:*:*:*:*
https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Code Injection
EUVDB-ID: #VU21606
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-9058
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists in the administrator page "admin/changegroupperm.php" due to improper input validation in the "sel_groups" parameter. A remote authenticated administrator can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCMS Made Simple: 0.1 - 2.7
CPE2.3- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2.1:*:*:*:*:*:*:*
https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Code Injection
EUVDB-ID: #VU21605
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-9057
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the FilePicker module. A remote authenticated attacker can reach an unserialize call with an untrusted parameter and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCMS Made Simple: 0.1 - 2.7
CPE2.3- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cmsmadesimple:cmsmadesimple:0.2.1:*:*:*:*:*:*:*
https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
