2 matches found
CVE-2018-1000158
cmsmadesimple version 2.2.7 contains a Incorrect Access Control vulnerability in the function of sendrecoveryemail in the line "$url = $config'adminurl' . '/login.php?recoverme=' . $code;" that can result in Administrator Password Reset Poisoning, specifically a reset URL pointing at an attacker...
CVE-2018-1000158
CMS Made Simple 2.2.7 has an Incorrect Access Control vulnerability in send_recovery_email that can create a reset URL pointing to an attacker-controlled server via a host header attack, enabling Administrator Password Reset Poisoning. Affected: cmsmadesimple 2.2.7. No explicit mitigations or pat...