CVE-2017-16798
published 2018-12-19CVE-2017-16798: CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.86%
53.8th percentile
CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cmsmadesimple | cms_made_simple | — | — |
| cmsmadesimple | cms_made_simple | — | — |
| cmsmadesimple | cms_made_simple | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hr6q-cqgm-w6pf: CMS Made Simple 2
ghsa_unreviewed·2022-05-24·CVSS 5.4
CVE-2020-17462 [MEDIUM] GHSA-hr6q-cqgm-w6pf: CMS Made Simple 2
CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar files, a related issue to CVE-2017-16798.
GHSA
GHSA-jgrr-64mp-ghjw: CMS Made Simple 2
ghsa_unreviewed·2022-05-14·CVSS 5.4
CVE-2018-19597 [MEDIUM] CWE-79 GHSA-jgrr-64mp-ghjw: CMS Made Simple 2
CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.
GHSA
GHSA-23c3-237c-6x4c: In CMS Made Simple 2
ghsa_unreviewed·2022-05-13
CVE-2017-16798 [MEDIUM] CWE-79 GHSA-23c3-237c-6x4c: In CMS Made Simple 2
In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .phtml, .pht, .html, or .svg.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-12-19
Published