CVE-2014-2245

CMS Made Simple < 1.11.10 - Authenticated SQL Injection via News Module sortby Parameter

Title source: llm
STIX 2.1

Description

SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information.

References (4)

Core 4
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/56996
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/65953
Vendor Advisory x_refsource_confirm
http://dev.cmsmadesimple.org/project/changelog/4602
Mailing List mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q1/467

Scores

EPSS 0.0032
EPSS Percentile 54.8%

Details

CWE
CWE-89
Status published
Products (50)
cmsmadesimple/cms_made_simple 0.1
cmsmadesimple/cms_made_simple 0.2
cmsmadesimple/cms_made_simple 0.2.1
cmsmadesimple/cms_made_simple 0.3
cmsmadesimple/cms_made_simple 0.3.1
cmsmadesimple/cms_made_simple 0.3.2
cmsmadesimple/cms_made_simple 0.4
cmsmadesimple/cms_made_simple 0.4.1
cmsmadesimple/cms_made_simple 0.5
cmsmadesimple/cms_made_simple 0.5.1
... and 40 more
Published Mar 05, 2014
Tracked Since Feb 18, 2026