Summary
CMS Made Simple is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie- based authentication credentials and launch other attacks.
CMS Made Simple 1.6.6 is affected
other versions may also be
vulnerable.
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Andromeda Streaming MP3 Server Cross Site Scripting Vulnerability
- Apache Commons Daemon 'jsvc' Information Disclosure Vulnerability
- AlienForm CGI script
- Aardvark Topsites PHP 'index.php' Multiple Cross Site Scripting Vulnerabilities
- 2532|Gigs Directory Traversal And SQL Injection Multiple Vulnerabilities