SB2019042507 - Multiple vulnerabilities in CMS Made Simple
Published: April 25, 2019 Updated: October 8, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2019-11513)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the File Manager due to insufficient sanitization of user-supplied data when processing data passed via the "New name" field in a Rename action. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Stored cross-site scripting (CVE-ID: CVE-2019-10017)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the "moduleinterface.php" uploader class script does not properly filter HTML code from user-supplied input in the "Name" field before listing the Profile. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site scripting (CVE-ID: CVE-2019-10107)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Stored cross-site scripting (CVE-ID: CVE-2019-10106)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the "moduleinterface.php" Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Cross-site scripting (CVE-ID: CVE-2019-10105)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Stored cross-site scripting (CVE-ID: CVE-2019-11226)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the "m1_name" parameter in "Add Article" under Content -> Content Manager -> News. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- http://dev.cmsmadesimple.org/bug/view/12022
- http://dev.cmsmadesimple.org/bug/view/12001
- https://ctrsec.io/index.php/2019/03/24/cmsmadesimple-xss-filepicker/
- http://dev.cmsmadesimple.org/bug/view/12003
- http://dev.cmsmadesimple.org/bug/view/12004
- http://dev.cmsmadesimple.org/bug/view/12002
- http://packetstormsecurity.com/files/153071/CMS-Made-Simple-2.2.10-Cross-Site-Scripting.html
- https://vulmon.com/vulnerabilitydetails?qid=CVE-2019-11226