Published on May 26th, 2019 📆 | 4219 Views ⚑
0CMS Made Simple up to 2.2.10 m1_title Persistent cross site scripting [Disputed]
https://www.ispeech.org/text.to.speech
CVSS Meta Temp Score | Current Exploit Price (≈) |
---|---|
3.3 | $0-$5k |
A vulnerability, which was classified as problematic, was found in CMS Made Simple up to 2.2.10 (Content Management System). Affected is a function. The manipulation of the argument m1_title
with an unknown input leads to a cross site scripting vulnerability (Persistent). CWE is classifying the issue as CWE-80. This is going to have an impact on integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.
The weakness was disclosed 05/22/2019 by Manuel Garcia Cardenas as CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting as confirmed mailinglist post (Full-Disclosure). The advisory is available at seclists.org. The public release has been coordinated in cooperation with the vendor. This vulnerability is traded as CVE-2019-11226. It is possible to launch the attack remotely. A single authentication is required for exploitation. Technical details and a public exploit are known.
A public exploit has been developed by Manuel Garcia Cardenas and been published immediately after the advisory. It is declared as proof-of-concept. The exploit is shared for download at seclists.org. The real existence of this vulnerability is still doubted at the moment. The code used by the exploit is:
alert(1)
The problem might be mitigated by replacing the product with as an alternative.
Name
VulDB Meta Base Score: 3.5
VulDB Meta Temp Score: 3.3
VulDB Base Score: 3.5
VulDB Temp Score: 3.3
VulDB Vector: ?
VulDB Reliability: ?
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
? | ? | ? | ? | ? | ? |
? | ? | ? | ? | ? | ? |
? | ? | ? | ? | ? | ? |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: ?
VulDB Temp Score: ?
VulDB Reliability: ?
Class: Cross site scripting / Persistent (CWE-80)
Local: No
Remote: Yes
Availability: ?
Access: Public
Status: Proof-of-Concept
Author: Manuel Garcia Cardenas
Download: ?
Price Prediction: ?
Current Price Estimation: ?
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Threat: ?
Adversaries: ?
Geopolitics: ?
Economy: ?
Predictions: ?
Remediation: ?Recommended: Alternative
Status: ?
0-Day Time: ?
Exploit Delay Time: ?
05/22/2019 Advisory disclosed
05/22/2019 Exploit disclosed
05/26/2019 VulDB entry created
05/26/2019 VulDB last updateAdvisory: CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting
Researcher: Manuel Garcia Cardenas
Status: Confirmed
Coordinated: ?
Disputed: ?
CVE: CVE-2019-11226 (?)
Created: 05/26/2019 04:27 PM
Complete: ?
Comments
Download the whitepaper to learn more about our service!
https://vuldb.com/?id.135642
No comments yet. Please log in to comment.