cbcvebase.
CVE-2019-9692
published 2019-03-11

CVE-2019-9692: class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG…

PriorityP357medium6.5CVSS 3.0
AVNACLPRLUINSUCNIHAN
EXPLOIT
EPSS
46.52%
98.7th percentile
class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).

Affected

1 ranges
VendorProductVersion rangeFixed in
cmsmadesimplecms_made_simple< 2.2.102.2.10

Detection & IOCsextracted from sources · hover to see the quote

path/admin/moduleinterface.php
path/uploads/images/shell.php
filenameshell.php
path/modules/Showtime2/moduleinfo.ini
path/uploads/images/
filenameclass.showtime2_image.php
  • Detect multipart POST to /admin/moduleinterface.php with mact=Showtime2 and m1_upload_submit=Upload — this is the file upload trigger for the exploit.
  • Alert on GET or POST requests to /uploads/images/*.php — a PHP file served from the image upload directory indicates successful webshell placement.
  • Monitor for HTTP GET to /modules/Showtime2/moduleinfo.ini — used by attackers to fingerprint the vulnerable Showtime2 module version prior to exploitation.
  • Detect uploaded files with non-image extensions (e.g. .php, .php5, .phtml) in the watermark/upload path — the vulnerability is the absence of extension validation in class.showtime2_image.php.
  • Look for the named pipe reverse shell pattern (mkfifo /tmp/f) in process execution logs on the web server — this is the default post-exploitation payload used by the PoC.
  • Versions Showtime2 <= 3.6.2 on CMSMS <= 2.2.9.1 are confirmed vulnerable; check version string in /modules/Showtime2/moduleinfo.ini for triage.
  • ·Exploitation requires an authenticated session with 'Use Showtime2' privilege — this is not an unauthenticated vulnerability.
  • ·The Metasploit module uses a CSRF token extracted from the login redirect Location header; detections based solely on cookie presence may miss sessions that bypass login via stolen credentials.

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.