CVE-2014-8790

GetSimple CMS 3.1.1-3.3.x - XML External Entity Injection via admin/api.php Data Parameter

Title source: llm
STIX 2.1

Description

XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.

References (5)

Core 5
Core References
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Dec/135
Various Sources x_refsource_confirm
http://get-simple.info/start/changelog/
Exploit x_refsource_misc
http://karmainsecurity.com/KIS-2014-17
Issue Tracking x_refsource_confirm
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944

Scores

EPSS 0.0254
EPSS Percentile 83.1%

Details

Status published
Products (11)
cagintranetworks/getsimple_cms 3.3.3
cagintranetworks/getsimple_cms 3.3.4
get-simple/getsimple_cms 3.1.1
get-simple/getsimple_cms 3.1.2
get-simple/getsimple_cms 3.2
get-simple/getsimple_cms 3.2.1
get-simple/getsimple_cms 3.2.2
get-simple/getsimple_cms 3.2.3
get-simple/getsimple_cms 3.3.0
get-simple/getsimple_cms 3.3.1
... and 1 more
Published Jan 20, 2015
Tracked Since Feb 18, 2026