CMS Made Simple < 1.6.3 Local File Include Vulnerability

Medium Nessus Network Monitor Plugin ID 5123

Synopsis

The remote web server is running a PHP application that is affected by an information disclosure vulnerability.

Description

The remote host is running CMS Made Simple, a web-based content manager written in PHP. The installed version of CMS Made Simple is earlier than 1.6.2. Such versions are potentially affected by an information disclosure vulnerability because they fail to properly sanitize user supplied data to the 'url' parameter of the 'modules/Printing/output.php' script.

Solution

Upgrade to CMS Made Simple 1.6.3 or later.

See Also

https://www.ihteam.net/selfexploit/en/show-src.php?id=587

http://blog.cmsmadesimple.org/2009/08/05/announcing-cmsms-163-touho

http://dev.cmsmadesimple.org/bug/view/3798

Plugin Details

Severity: Medium

ID: 5123

File Name: 5123.prm

Family: CGI

Published: 2009/08/10

Modified: 2015/10/30

Dependencies: 1442

Nessus ID: 40551

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cmsmadesimple:cms_made_simple

Patch Publication Date: 2009/08/05

Vulnerability Publication Date: 2009/08/05

Reference Information

BID: 36005