CVE-2019-9061

HIGH

Cmsmadesimple Cms Made Simple < 2.2.8 - Insecure Deserialization

Title source: rule

Description

An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature.

References (2)

[Release Notes, Vendor Advisory] https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg

[Release Notes, Vendor Advisory] https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum

Scores

CVSS v3 8.8

EPSS 0.0091

EPSS Percentile 75.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-1321

Status published

Affected Products (1)

cmsmadesimple/cms_made_simple < 2.2.8

Timeline

Published Mar 26, 2019

Tracked Since Feb 18, 2026