module
CMS Made Simple Authenticated RCE via object injection
| Disclosed |
|---|
| Mar 26, 2019 |
Disclosed
Mar 26, 2019
Description
An issue was discovered in CMS Made Simple 2.2.8.
In the module DesignManager (in the files action.admin_bulk_css.php
and action.admin_bulk_template.php), with an unprivileged user
with Designer permission, it is possible to reach an unserialize
call with a crafted value in the m1_allparms parameter,
and achieve object injection.
This module has been successfully tested on CMS Made Simple versions
2.2.6, 2.2.7, 2.2.8, 2.2.9 and 2.2.9.1.
In the module DesignManager (in the files action.admin_bulk_css.php
and action.admin_bulk_template.php), with an unprivileged user
with Designer permission, it is possible to reach an unserialize
call with a crafted value in the m1_allparms parameter,
and achieve object injection.
This module has been successfully tested on CMS Made Simple versions
2.2.6, 2.2.7, 2.2.8, 2.2.9 and 2.2.9.1.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.