CMS Made Simple < 1.7.1 Cross-Site Scripting Vulnerability

low Nessus Network Monitor Plugin ID 5530

Synopsis

The remote web server is running a PHP application that is affected by a cross-site scripting vulnerability.

Description

The remote host is running CMS Made Simple, a web-based content management application written in PHP. The installed version of CMS Made Simple is earlier than 1.7.1. Such versions are potentially affected by a cross-site scripting vulnerability because the application fails to properly sanitize user supplied input to the 'date_format_string' variable of the 'admin/editprefs.php' script. An attacker with administrator privileges, could exploit this flaw to execute arbitrary script code in a user's browser.

Solution

Upgrade to CMS Made Simple 1.7.1 or later.

See Also

http://blog.cmsmadesimple.org/2010/05/01/announcing-cms-made-simple-1-7-1-escade

http://www.securityfocus.com/archive/1/511178/30/0/threaded

Plugin Details

Severity: Low

ID: 5530

Family: CGI

Published: 5/7/2010

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.5

Temporal Score: 3.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cmsmadesimple:cms_made_simple

Patch Publication Date: 5/1/2010

Vulnerability Publication Date: 5/7/2010

Reference Information

CVE: CVE-2010-1482

BID: 39997