#VU13890 Command injection in CMS Made Simple - CVE-2018-1000094
Published: July 11, 2018 / Updated: June 17, 2021
Vulnerability identifier: #VU13890
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:A/U:Amber
CVE-ID: CVE-2018-1000094
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
CMS Made Simple
CMS Made Simple
Software vendor:
cmsmadesimple.org
cmsmadesimple.org
Description
The vulnerability allows a remote administrative attacker to execute arbitrary commands on the target system.
The vulnerability exists in the File Manager interface of CMS Made Simple due to insufficient validation of user-supplied input. A remote attacker can upload a malicious file, inject arbitrary commands and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Vendor doesn't plan to fix the vulnerability.