CVE-2018-10085

Published: Apr 13, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in the _get_data function of \lib\classes\internal\class.LoginOperations.php. By sending a crafted cookie, a remote attacker can upload and execute code, or delete files.

Affected (1)

Products: Cmsmadesimple: Cms Made Simple

1 product

Cms Made Simple

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cmsmadesimple Cms Made Simple	Up to 2.2.6

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (2)

https://github.com/itodaro/cve/blob/master/README.md

Source: cve@mitre.org

ExploitTechnical DescriptionThird Party Advisory

https://github.com/itodaro/cve/blob/master/README.md

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionThird Party Advisory

Timeline

No history available yet.