cbcvebase.
CVE-2019-9053
published 2019-03-26

CVE-2019-9053: An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL…

PriorityP271high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
55.96%
98.9th percentile
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
cmsmadesimplecms_made_simple

Detection & IOCsextracted from sources · hover to see the quote

url&m1_idlist=a,b,1,5))+and+(select+sleep(<TIME>)+from+cms_users+where+password+like+0x<HEX>25+and+user_id+like+0x31)+--+
url&m1_idlist=a,b,1,5))+and+(select+sleep(<TIME>)+from+cms_users+where+username+like+0x<HEX>25+and+user_id+like+0x31)+--+
url&m1_idlist=a,b,1,5))+and+(select+sleep(<TIME>)+from+cms_users+where+email+like+0x<HEX>25+and+user_id+like+0x31)+--+
commandselect+sleep(<TIME>)+from+cms_users+where+password+like+0x<HEX>25+and+user_id+like+0x31
  • Detect blind time-based SQLi via the m1_idlist GET parameter containing SQL sleep() injection patterns targeting the CMS Made Simple News module. Look for URL-encoded payloads with patterns like 'select+sleep(' or 'select sleep(' in the m1_idlist parameter value.
  • The SQLi payload structure uses a specific pattern: 'a,b,1,5))+and+(select+sleep(N)+from+cms_users+where+<field>+like+0x<hex>25+and+user_id+like+0x31)+--+' injected into m1_idlist. Alert on requests where m1_idlist contains 'cms_users' or 'sleep(' substrings.
  • The exploit enumerates salt, username, email, and password from the cms_users table character-by-character using time delays. Anomalous response latency spikes on repeated requests to the News module URL with varying m1_idlist values is a strong behavioral indicator.
  • The attack is unauthenticated; no session cookie or login is required. Monitor for high-frequency GET requests to the CMS Made Simple News module endpoint with m1_idlist parameter from a single source IP.
  • ·The TIME threshold used for sleep-based detection is configurable in the exploit script; defenders should tune anomaly detection baselines accordingly, as a low TIME value may be harder to distinguish from legitimate slow queries.
  • ·The exploit targets CMS Made Simple version 2.2.8 specifically via the News module; other versions may or may not be affected and should be tested independently.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.