XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Getsimple_cms | Cagintranetworks | 3.3.3 (including) | 3.3.3 (including) |
| Getsimple_cms | Cagintranetworks | 3.3.4 (including) | 3.3.4 (including) |
| Getsimple_cms | Get-simple | 3.1.1 (including) | 3.1.1 (including) |
| Getsimple_cms | Get-simple | 3.1.2 (including) | 3.1.2 (including) |
| Getsimple_cms | Get-simple | 3.2 (including) | 3.2 (including) |
| Getsimple_cms | Get-simple | 3.2.1 (including) | 3.2.1 (including) |
| Getsimple_cms | Get-simple | 3.2.2 (including) | 3.2.2 (including) |
| Getsimple_cms | Get-simple | 3.2.3 (including) | 3.2.3 (including) |
| Getsimple_cms | Get-simple | 3.3.0 (including) | 3.3.0 (including) |
| Getsimple_cms | Get-simple | 3.3.1 (including) | 3.3.1 (including) |
| Getsimple_cms | Get-simple | 3.3.2-b3 (including) | 3.3.2-b3 (including) |
References
- http://get-simple.info/start/changelog/
- http://karmainsecurity.com/KIS-2014-17
- http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html
- http://seclists.org/fulldisclosure/2014/Dec/135
- https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944
- http://get-simple.info/start/changelog/
- http://karmainsecurity.com/KIS-2014-17
- http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html
- http://seclists.org/fulldisclosure/2014/Dec/135
- https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944