CMS Made Simple < 1.7.1 Cross-Site Scripting Vulnerability

Medium Nessus Network Monitor Plugin ID 5530

Synopsis

The remote web server is running a PHP application that is affected by a cross-site scripting vulnerability.

Description

The remote host is running CMS Made Simple, a web-based content management application written in PHP. The installed version of CMS Made Simple is earlier than 1.7.1. Such versions are potentially affected by a cross-site scripting vulnerability because the application fails to properly sanitize user supplied input to the 'date_format_string' variable of the 'admin/editprefs.php' script. An attacker with administrator privileges, could exploit this flaw to execute arbitrary script code in a user's browser.

Solution

Upgrade to CMS Made Simple 1.7.1 or later.

See Also

http://blog.cmsmadesimple.org/2010/05/01/announcing-cms-made-simple-1-7-1-escade

http://www.securityfocus.com/archive/1/511178/30/0/threaded

Plugin Details

Severity: Medium

ID: 5530

Family: CGI

Published: 2010/05/07

Modified: 2016/01/25

Dependencies: 1442

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5.8

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 3.5

Temporal Score: 3.3

Vector: CVSS3#AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cmsmadesimple:cms_made_simple

Patch Publication Date: 2010/05/01

Vulnerability Publication Date: 2010/05/07

Reference Information

CVE: CVE-2010-1482

BID: 39997