CVE-2022-23906

CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.

CVSS v3 7.2 HIGH
CVSS v2.0 6.5 MEDIUM

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://dev.cmsmadesimple.org/bug/view/12502	Exploit Issue Tracking Vendor Advisory
http://dev.cmsmadesimple.org/bug/view/12502	Exploit Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cmsmadesimple:cms_made_simple:2.2.15:*:*:*:*:*:*:*

History

21 Nov 2024, 06:49

Type	Values Removed	Values Added
References	~~() http://dev.cmsmadesimple.org/bug/view/12502 - Exploit, Issue Tracking, Vendor Advisory~~	() http://dev.cmsmadesimple.org/bug/view/12502 - Exploit, Issue Tracking, Vendor Advisory

Information

Published : 2022-02-28 23:15

Updated : 2024-11-21 06:49

NVD link : CVE-2022-23906

Mitre link : CVE-2022-23906

CVE.ORG link : CVE-2022-23906

JSON object : View

Products Affected

cmsmadesimple

cms_made_simple

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2022-23906", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2022-02-28T23:15:12.477", "references": [{"url": "http://dev.cmsmadesimple.org/bug/view/12502", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://dev.cmsmadesimple.org/bug/view/12502", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file."}, {"lang": "es", "value": "Se ha detectado que CMS Made Simple versi\u00f3n v2.2.15, contiene una vulnerabilidad de Ejecuci\u00f3n de Comandos Remota (RCE) por medio de la funci\u00f3n upload avatar. Esta vulnerabilidad es explotada por medio de un archivo de imagen dise\u00f1ado."}], "lastModified": "2024-11-21T06:49:26.473", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cmsmadesimple:cms_made_simple:2.2.15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47371FA0-89B6-4625-B43D-AFC56252F4CF"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}