Main Vulnerability Database Exploits ID:1501 - Exploit for Deserialization of Untrusted Data in CMS Made Simple - CVE-2019-9055

ID:1501 - Exploit for Deserialization of Untrusted Data in CMS Made Simple - CVE-2019-9055

Published: March 18, 2020

Vulnerability identifier: #VU21613

Vulnerability risk: High

CVE-ID: CVE-2019-9055

CWE-ID: CWE-502

Exploitation vector: Remote access

Vulnerable software:
CMS Made Simple

Link to public exploit:

https://www.rapid7.com/db/modules/exploit/multi/http/cmsms_object_injection_rce

Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in the "DesignManager" module in the "action.admin_bulk_css.php" and "action.admin_bulk_template.php" files. A remote authenticated attacker with Designer permission can reach an unserialize call with a crafted value in the "m1_allparms" parameter and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

ID:1501 - Exploit for Deserialization of Untrusted Data in CMS Made Simple - CVE-2019-9055

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human