CVE-2018-7448

HIGH

Cmsmadesimple Cms Made Simple - OS Command Injection

Title source: rule

Description

Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.

Exploits (2)

exploitdb WORKING POC

by Keerati T. · textwebappsphp

https://www.exploit-db.com/exploits/44192

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by b1d0ws · poc

https://github.com/b1d0ws/exploit-cve-2018-7448

View Code ZIP pw:eip

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44192/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://packetstormsecurity.com/files/146568/CMS-Made-Simple-2.1.6-Remote-Code-Execution.html

Release Notes x_refsource_misc

http://dev.cmsmadesimple.org/project/changelog/5471

Scores

CVSS v3 7.5

EPSS 0.4208

EPSS Percentile 97.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

cmsmadesimple/cms_made_simple 2.1.6

Published Feb 26, 2018

Tracked Since Feb 18, 2026