cbcvebase.
CVE-2019-9055
published 2019-03-26

CVE-2019-9055: An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with…

PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.50%
95.7th percentile
An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, and achieve object injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
cmsmadesimplecms_made_simple<= 2.2.8

Detection & IOCsextracted from sources · hover to see the quote

otherm1_allparms
pathaction.admin_bulk_css.php
pathaction.admin_bulk_template.php
  • Monitor HTTP requests targeting the DesignManager module endpoints (action.admin_bulk_css.php, action.admin_bulk_template.php) for the presence of the m1_allparms parameter containing serialized PHP object payloads (e.g., values beginning with 'O:' or 'a:' typical of PHP serialization).
  • Exploitation requires an authenticated session with Designer-level privileges; alert on Designer-role accounts making POST requests to DesignManager bulk action endpoints.
  • Affected versions include CMS Made Simple 2.2.6, 2.2.7, 2.2.8, 2.2.9, and 2.2.9.1; prioritize detection on installations running these versions.
  • ·Exploitation is limited to authenticated users holding the Designer role; unauthenticated exploitation is not possible.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.