Headline
CVE-2021-40961: CMS Made Simple SQL injection on m1_sortby parameter
CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '.
Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev
Full Disclosure mailing list archives
From: riccardo krauter <riccardo.krauter () gmail com>
Date: Wed, 17 Mar 2021 12:49:15 +0100
- Summary
Affected software CMS Made Simple-2.2.15 Vendor URLhttp://www.cmsmadesimple.org/ http://www.cmsmadesimple.org/\ Vulnerability SQL injection
- Vulnerability Description
The affected software is vulnerable to SQL injection via the m1_sortby POST parameter of the News module, reachable via the moduleinterface.php page. The `sortby` parameter is sanitized by replacing the `’` with the `_` character, anyway it is possible to inject arbitrary SQL language without using the `’`. This vulnerability is remotely exploitable and require authentication.
- PoC and details
https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md
- Credits
This vulnerability has been discovered and reported by Riccardo Krauter researcher @ Soter IT Security (soteritsecurity.com).
- Timeline
2021/02/22 Vendor was informed 2021/02/26 Vendor said he won’t fix 2021/03/17 Public disclosure
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CMS Made Simple SQL injection on m1_sortby parameter riccardo krauter (Mar 19)