Authenticated Object Injection in CMS Made Simple by CMS Made Simple
CVE-2019-9058

7.2HIGH

Key Information:

Vendor: Cmsmadesimple
Status: Cms Made Simple
Vendor: CVE Published:; 26 March 2019

Summary

A vulnerability has been identified in CMS Made Simple version 2.2.8, allowing attackers with authenticated access to inject crafted data via the 'sel_groups' parameter in the admin/changegroupperm.php page. This object injection flaw can potentially allow unauthorized actions by modifying the behavior of the application's objects, posing a risk to security and data integrity. It is essential for users of this version to upgrade to a patched version to safeguard against potential exploitation.

References

https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made...

x_refsource_CONFIRM

https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinv...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 26, 2019
Vulnerability Reserved
Feb 23, 2019