vendor:
CMS Made Simple
by:
7.5
CVSS
HIGH
Local File Include, Cross-Site Scripting
CWE
Product Name: CMS Made Simple
Affected Version From: 1.6.2006
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
CMS Made Simple Local File Include and Cross-Site Scripting Vulnerabilities
CMS Made Simple is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks. The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Mitigation:
Update to the latest version of CMS Made Simple to fix these vulnerabilities. Sanitize user-supplied input to prevent local file inclusion and cross-site scripting attacks.
