7.2
CVE-2024-27622
- EPSS 2%
- Veröffentlicht 05.03.2024 14:15:49
- Zuletzt bearbeitet 28.03.2025 16:05:54
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cmsmadesimple ≫ Cms Made Simple Version2.2.19
Cmsmadesimple ≫ Cms Made Simple Version2.2.21
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2% | 0.781 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
The product does not adequately filter user-controlled input for special elements with control implications.
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
https://github.com/capture0x/CMSMadeSimple/
https://packetstormsecurity.com/files/177241/CMS-Made-Simple-2.2.19-Remote-Code-Execution.html
https://www.vicarius.io/vsociety/posts/pwning-cmsms-via-user-defined-tags-for-fun-and-learning-cve-2024-27622-27623