CVE-2017-1000454

Published: Jan 2, 2018Modified: Nov 21, 2024

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template Injection in some core components, resulting in local file read before 2.2, and local file inclusion since 2.2.1

Affected (2)

Products: Cmsmadesimple: Cms Made Simple

Cmsmadesimple

1 product

Cms Made Simple

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cmsmadesimple Cms Made Simple	Before 2.2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Cmsmadesimple Cms Made Simple	From 2.2.1

Related CWEs

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (2)

https://www.cmsmadesimple.org/2017/07/Announcing-CMSMS-2.2.2-Hearts-Content

Source: cve@mitre.org

Issue TrackingVendor Advisory

https://www.cmsmadesimple.org/2017/07/Announcing-CMSMS-2.2.2-Hearts-Content

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.