漏洞类别:CGI
漏洞等级: 
漏洞信息
CMS Made Simple is an Open Source Content Management System. It is built using PHP and the Smarty Engine, which keeps content, functionality, and templates separated.
The vulnerability exists because the template engine implemented in CMSMS fails to sufficiently sanitize user supplied input received via the cntnt01detailtemplate argument, which could allow unauthenticated, remote attackers to execute arbitrary code on the targeted system.
Affected Versions:
CMS Made Simple versions 2.1.6 and prior
QID Detection Logic:
This unauthenticated QID transmits a HTTP GET request to the cntnt01detailtemplate argument to fetch the PHPINFO result.
漏洞危害
Successful exploitation allows an unauthenticated, remote attacker to execute arbitrary code on the targeted server.
解决方案
Customers are advised to upgrade to CMSMS 2.2.3 or later versions to remediate this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论