Exploit/Advisories Cybersecurity study of the dark web exposes vulnerability to machine identities -- ScienceDaily

Published on May 26th, 2019 📆 | 4219 Views ⚑

0

CMS Made Simple up to 2.2.10 m1_title Persistent cross site scripting [Disputed]


https://www.ispeech.org/text.to.speech

CVSS Meta Temp Score Current Exploit Price (≈)
3.3 $0-$5k

A vulnerability, which was classified as problematic, was found in CMS Made Simple up to 2.2.10 (Content Management System). Affected is a function. The manipulation of the argument m1_title with an unknown input leads to a cross site scripting vulnerability (Persistent). CWE is classifying the issue as CWE-80. This is going to have an impact on integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.

The weakness was disclosed 05/22/2019 by Manuel Garcia Cardenas as CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting as confirmed mailinglist post (Full-Disclosure). The advisory is available at seclists.org. The public release has been coordinated in cooperation with the vendor. This vulnerability is traded as CVE-2019-11226. It is possible to launch the attack remotely. A single authentication is required for exploitation. Technical details and a public exploit are known.

A public exploit has been developed by Manuel Garcia Cardenas and been published immediately after the advisory. It is declared as proof-of-concept. The exploit is shared for download at seclists.org. The real existence of this vulnerability is still doubted at the moment. The code used by the exploit is:

alert(1)

The problem might be mitigated by replacing the product with as an alternative.

Name

VulDB Meta Base Score: 3.5
VulDB Meta Temp Score: 3.3

VulDB Base Score: 3.5
VulDB Temp Score: 3.3
VulDB Vector: ?
VulDB Reliability: ?

AV AC Au C I A
? ? ? ? ? ?
? ? ? ? ? ?
? ? ? ? ? ?
Vector Complexity Authentication Confidentiality Integrity Availability
unlock unlock unlock unlock unlock unlock
unlock unlock unlock unlock unlock unlock
unlock unlock unlock unlock unlock unlock


VulDB Base Score: ?
VulDB Temp Score: ?
VulDB Reliability: ?
Class: Cross site scripting / Persistent (CWE-80)
Local: No
Remote: Yes

Availability: ?
Access: Public
Status: Proof-of-Concept
Author: Manuel Garcia Cardenas
Download: ?

Price Prediction: ?
Current Price Estimation: ?






0-Day unlock unlock unlock unlock
Today unlock unlock unlock unlock

Threat Intelligenceinfoedit

Threat: ?
Adversaries: ?
Geopolitics: ?
Economy: ?
Predictions: ?
Remediation: ?Recommended: Alternative
Status: ?

0-Day Time: ?
Exploit Delay Time: ?

05/22/2019 Advisory disclosed
05/22/2019 +0 days Exploit disclosed
05/26/2019 +4 days VulDB entry created
05/26/2019 +0 days VulDB last updateAdvisory: CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting
Researcher: Manuel Garcia Cardenas
Status: Confirmed
Coordinated: ?
Disputed: ?

CVE: CVE-2019-11226 (?)

Created: 05/26/2019 04:27 PM
Complete: ?

Comments

No comments yet. Please log in to comment.

Download the whitepaper to learn more about our service!

https://vuldb.com/?id.135642

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑