CVE-2012-5450
medium
CVSS v3
—
CVSS v2
6.8
VIR risk
6.8
Description
Cross-site request forgery (CSRF) vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) 1.11.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deld parameter.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://secunia.com/advisories/51185
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cmsmadesimple | cms_made_simple | {"endIncluding":"1.11.2"} | |
| cmsmadesimple | cms_made_simple | 0.1 | |
| cmsmadesimple | cms_made_simple | 0.2 | |
| cmsmadesimple | cms_made_simple | 0.2.1 | |
| cmsmadesimple | cms_made_simple | 0.3 | |
| cmsmadesimple | cms_made_simple | 0.3.1 | |
| cmsmadesimple | cms_made_simple | 0.3.2 | |
| cmsmadesimple | cms_made_simple | 0.4 | |
| cmsmadesimple | cms_made_simple | 0.4.1 | |
| cmsmadesimple | cms_made_simple | 0.5 | |
| cmsmadesimple | cms_made_simple | 0.5.1 | |
| cmsmadesimple | cms_made_simple | 0.6 | |
| cmsmadesimple | cms_made_simple | 0.6.1 | |
| cmsmadesimple | cms_made_simple | 0.6.2 | |
| cmsmadesimple | cms_made_simple | 0.6.3 | |
| cmsmadesimple | cms_made_simple | 0.7 | |
| cmsmadesimple | cms_made_simple | 0.7.1 | |
| cmsmadesimple | cms_made_simple | 0.7.2 | |
| cmsmadesimple | cms_made_simple | 0.7.3 | |
| cmsmadesimple | cms_made_simple | 0.8 | |
| cmsmadesimple | cms_made_simple | 0.8.1 | |
| cmsmadesimple | cms_made_simple | 0.8.2 | |
| cmsmadesimple | cms_made_simple | 0.9 | |
| cmsmadesimple | cms_made_simple | 0.9.1 | |
| cmsmadesimple | cms_made_simple | 0.9.2 | |
| cmsmadesimple | cms_made_simple | 0.10 | |
| cmsmadesimple | cms_made_simple | 0.10.1 | |
| cmsmadesimple | cms_made_simple | 0.10.2 | |
| cmsmadesimple | cms_made_simple | 0.10.3 | |
| cmsmadesimple | cms_made_simple | 0.10.4 | |
| cmsmadesimple | cms_made_simple | 0.11 | |
| cmsmadesimple | cms_made_simple | 0.11.1 | |
| cmsmadesimple | cms_made_simple | 0.11.2 | |
| cmsmadesimple | cms_made_simple | 0.12 | |
| cmsmadesimple | cms_made_simple | 0.12.1 | |
| cmsmadesimple | cms_made_simple | 0.12.2 | |
| cmsmadesimple | cms_made_simple | 0.13 | |
| cmsmadesimple | cms_made_simple | 1.0 | |
| cmsmadesimple | cms_made_simple | 1.0.1 | |
| cmsmadesimple | cms_made_simple | 1.0.2 | |
| cmsmadesimple | cms_made_simple | 1.0.3 | |
| cmsmadesimple | cms_made_simple | 1.0.4 | |
| cmsmadesimple | cms_made_simple | 1.0.5 | |
| cmsmadesimple | cms_made_simple | 1.0.6 | |
| cmsmadesimple | cms_made_simple | 1.1 | |
| cmsmadesimple | cms_made_simple | 1.1.1 | |
| cmsmadesimple | cms_made_simple | 1.1.2 | |
| cmsmadesimple | cms_made_simple | 1.1.3 | |
| cmsmadesimple | cms_made_simple | 1.1.3.1 | |
| cmsmadesimple | cms_made_simple | 1.1.4 | |
| cmsmadesimple | cms_made_simple | 1.2 | |
| cmsmadesimple | cms_made_simple | 1.2.1 | |
| cmsmadesimple | cms_made_simple | 1.2.2 | |
| cmsmadesimple | cms_made_simple | 1.2.3 | |
| cmsmadesimple | cms_made_simple | 1.2.4 | |
| cmsmadesimple | cms_made_simple | 1.2.5 | |
| cmsmadesimple | cms_made_simple | 1.3 | |
| cmsmadesimple | cms_made_simple | 1.4 | |
| cmsmadesimple | cms_made_simple | 1.4.1 | |
| cmsmadesimple | cms_made_simple | 1.5 | |
| cmsmadesimple | cms_made_simple | 1.5.1 | |
| cmsmadesimple | cms_made_simple | 1.5.2 | |
| cmsmadesimple | cms_made_simple | 1.5.3 | |
| cmsmadesimple | cms_made_simple | 1.5.4 | |
| cmsmadesimple | cms_made_simple | 1.6 | |
| cmsmadesimple | cms_made_simple | 1.6.1 | |
| cmsmadesimple | cms_made_simple | 1.6.2 | |
| cmsmadesimple | cms_made_simple | 1.6.3 | |
| cmsmadesimple | cms_made_simple | 1.6.4 | |
| cmsmadesimple | cms_made_simple | 1.6.5 | |
| cmsmadesimple | cms_made_simple | 1.6.6 | |
| cmsmadesimple | cms_made_simple | 1.6.7 | |
| cmsmadesimple | cms_made_simple | 1.7 | |
| cmsmadesimple | cms_made_simple | 1.7.1 | |
| cmsmadesimple | cms_made_simple | 1.8 | |
| cmsmadesimple | cms_made_simple | 1.8.1 | |
| cmsmadesimple | cms_made_simple | 1.8.2 | |
| cmsmadesimple | cms_made_simple | 1.9 | |
| cmsmadesimple | cms_made_simple | 1.9.1 | |
| cmsmadesimple | cms_made_simple | 1.9.2 | |
| cmsmadesimple | cms_made_simple | 1.9.3 | |
| cmsmadesimple | cms_made_simple | 1.9.4 | |
| cmsmadesimple | cms_made_simple | 1.9.4.1 | |
| cmsmadesimple | cms_made_simple | 1.9.4.2 | |
References
- http://archives.neohapsis.com/archives/bugtraq/2012-11/0035.html
- http://forum.cmsmadesimple.org/viewtopic.php?f=1&t=63545
- http://packetstormsecurity.org/files/117951/CMS-Made-Simple-1.11.2-Cross-Site-Request-Forgery.html
- http://secunia.com/advisories/51185
- http://viewsvn.cmsmadesimple.org/diff.php?repname=cmsmadesimple&path=%2Ftrunk%2Flib%2Ffilemanager%2FImageManager%2FClasses%2FImageManager.php&rev=8400&peg=8498
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79881
- https://www.htbridge.com/advisory/HTB23121
- http://archives.neohapsis.com/archives/bugtraq/2012-11/0035.html
- http://forum.cmsmadesimple.org/viewtopic.php?f=1&t=63545
- http://packetstormsecurity.org/files/117951/CMS-Made-Simple-1.11.2-Cross-Site-Request-Forgery.html
- http://secunia.com/advisories/51185
- http://viewsvn.cmsmadesimple.org/diff.php?repname=cmsmadesimple&path=%2Ftrunk%2Flib%2Ffilemanager%2FImageManager%2FClasses%2FImageManager.php&rev=8400&peg=8498
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79881
- https://www.htbridge.com/advisory/HTB23121
CWEs
CWE-352
Verify integrity in audit chain (admin only). AS-IS.