CVE-2016-2784

MEDIUM

Cmsmadesimple Cms Made Simple - XSS

Title source: rule

Description

CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a request.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Mickaël Walter · textwebappsphp

https://www.exploit-db.com/exploits/39760

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/136897/CMS-Made-Simple-Cache-Poisoning.html

[Mailing List] http://seclists.org/fulldisclosure/2016/May/15

[Vendor Advisory] http://www.cmsmadesimple.org/2016/03/Announcing-CMSMS-1-12-2-kolonia/

[Various Sources] http://www.cmsmadesimple.org/2016/04/Announcing-CMSMS-2-1-3-Black-Point/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/538272/100/0/threaded

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/39760/

Scores

CVSS v3 4.7

EPSS 0.0609

EPSS Percentile 90.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status draft

Affected Products (50)

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

cmsmadesimple/cms_made_simple

... and 35 more

Timeline

Published May 26, 2016

Tracked Since Feb 18, 2026