CVE-2019-9056

HIGH

Cmsmadesimple Cms Made Simple - Insecure Deserialization

Title source: rule

Description

An issue was discovered in CMS Made Simple 2.2.8. In the module FrontEndUsers (in the file class.FrontEndUsersManipulate.php or class.FrontEndUsersManipulator.php), it is possible to reach an unserialize call with an untrusted __FEU__ cookie, and achieve authenticated object injection.

References (2)

[Vendor Advisory] https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg

[Release Notes, Vendor Advisory] https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum

Scores

CVSS v3 8.8

EPSS 0.0123

EPSS Percentile 78.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

cmsmadesimple/cms_made_simple

Timeline

Published Apr 11, 2019

Tracked Since Feb 18, 2026