CVE-2019-9057

HIGH

Cmsmadesimple Cms Made Simple < 2.2.8 - Insecure Deserialization

Title source: rule

Description

An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.

References (2)

[Release Notes, Vendor Advisory] https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg

[Release Notes, Vendor Advisory] https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum

Scores

CVSS v3 8.8

EPSS 0.0091

EPSS Percentile 75.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-915

Status published

Affected Products (1)

cmsmadesimple/cms_made_simple < 2.2.8

Timeline

Published Mar 26, 2019

Tracked Since Feb 18, 2026