ID CVE-2019-9057 Type cve Reporter cve@mitre.org Modified 2020-08-24T17:37:00
Description
An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.
{"openvas": [{"lastseen": "2019-10-09T14:48:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9058", "CVE-2019-9692", "CVE-2019-9056", "CVE-2019-9055", "CVE-2019-9059", "CVE-2019-9057", "CVE-2019-9693"], "description": "CMS Made Simple is prone to multiple vulnerabilities.", "modified": "2019-10-07T00:00:00", "published": "2019-03-12T00:00:00", "id": "OPENVAS:1361412562310113353", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113353", "type": "openvas", "title": "CMS Made Simple < 2.2.10 Multiple Vulnerabilities", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113353\");\n script_version(\"2019-10-07T14:34:48+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-07 14:34:48 +0000 (Mon, 07 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-12 13:34:54 +0200 (Tue, 12 Mar 2019)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2019-9692\", \"CVE-2019-9693\", \"CVE-2019-9055\", \"CVE-2019-9056\",\n \"CVE-2019-9057\", \"CVE-2019-9058\", \"CVE-2019-9059\");\n\n script_name(\"CMS Made Simple < 2.2.10 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"cms_made_simple_detect.nasl\");\n script_mandatory_keys(\"cmsmadesimple/installed\");\n\n script_tag(name:\"summary\", value:\"CMS Made Simple is prone to multiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - class.showtime2_image.php does not ensure that a watermark file\n has a standard image file extension\n\n - an authenticated user can achieve SQL Injection in class.showtime2_data.php\n via the functions _updateshow (parameter show_id), _inputshow (parameter show_id),\n _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id),\n _AdjustNameSeq (parameter shownumber), _Updatepicture (parameter picture_id)\n and _Deletepicture (parameter picture_id)\n\n - In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php),\n with an unprivileged user with Designer permissions, it is possible to reach an unserialize call\n with a crafted value in the m1_allparms parameter and achieve object injection\n\n - In the module FrontEndUsers (in the files class.FrontEndUsersManipulate.php and class.FrontEndUsersManipulator.php),\n it is possible to reach an unserialize call with an untrusted __FEU__ cookie and achieve authenticated object injection\n\n - In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter\n and achieve authenticated object injection\n\n - In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups\n parameter that leads to authenticated object injection\n\n - It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable\n in Mail Settings, setting 'sendmail' in the 'Mailer' option and launching the 'Forgot your password' feature\");\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to read sensitive information\n and modify the target system.\");\n script_tag(name:\"affected\", value:\"CMS Made Simple through version 2.2.9.\");\n script_tag(name:\"solution\", value:\"Update to version 2.2.10.\");\n\n script_xref(name:\"URL\", value:\"https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:cmsmadesimple:cms_made_simple\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! version = get_app_version( cpe: CPE, port: port ) ) exit( 0 );\n\nif( version_is_less( version: version, test_version: \"2.2.10\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"2.2.10\" );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
