CMS Made Simple 2.2.8 Remote Code Execution

Posted by deepcore on November 14, 2019 – 2:20 pm

An issue was discovered in CMS Made Simple version 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible to reach an unserialize call with a crafted value in the m1_allparms parameter, and achieve object injection. This Metasploit module has been successfully tested on CMS Made Simple versions 2.2.6, 2.2.7, 2.2.8, 2.2.9 and 2.2.9.1.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« [webapps] Xfilesharing 2.5.1 – Arbitrary File Upload Siemens Desigo PX 6.00 Denial Of Service »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

CMS Made Simple 2.2.8 Remote Code Execution

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL