Command injection in CMS Made Simple - CVE-2018-1000094
Published: July 11, 2018 / Updated: June 17, 2021
Vulnerability identifier: #VU13890
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:A/U:Amber
CVE-ID: CVE-2018-1000094
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: cmsmadesimple.org
Affected software:
CMS Made Simple
CMS Made Simple
Detailed vulnerability description
The vulnerability allows a remote administrative attacker to execute arbitrary commands on the target system.
The vulnerability exists in the File Manager interface of CMS Made Simple due to insufficient validation of user-supplied input. A remote attacker can upload a malicious file, inject arbitrary commands and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2018-1000094
Vendor doesn't plan to fix the vulnerability.