CVE-2018-10086

HIGH

CMS Made Simple < 2.2.7 - Authenticated Remote Code Execution via Test Function Eval Bypass

Title source: manual
STIX 2.1

Description

CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary code execution vulnerability in the admin dashboard because the implementation uses "eval('function testfunction'.rand()" and it is possible to bypass certain restrictions on these "testfunction" functions.

References (1)

Core 1
Core References
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://github.com/itodaro/cve/blob/master/README.md

Scores

CVSS v3 7.2
EPSS 0.0195
EPSS Percentile 77.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
cmsmadesimple/cms_made_simple < 2.2.7
Published Apr 13, 2018
Tracked Since Feb 18, 2026