CMS Made Simple 1.1.3.1 does not check the permissions assigned to users in some situations, which allows remote authenticated users to perform some administrative actions, as demonstrated by (1) adding a user via a direct request to admin/adduser.php and (2) reading the admin log via an admin/adminlog.php?page=1 request.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cms_made_simple | Cmsmadesimple | 1.1.3.1 (including) | 1.1.3.1 (including) |
References
- http://blog.cmsmadesimple.org/2007/10/07/announcing-cms-made-simple-1141/
- http://osvdb.org/45481
- http://securityreason.com/securityalert/3223
- http://www.securityfocus.com/archive/1/481984/100/0/threaded
- http://blog.cmsmadesimple.org/2007/10/07/announcing-cms-made-simple-1141/
- http://osvdb.org/45481
- http://securityreason.com/securityalert/3223
- http://www.securityfocus.com/archive/1/481984/100/0/threaded