CVE-2014-8790

XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://get-simple.info/start/changelog/
http://karmainsecurity.com/KIS-2014-17	Exploit
http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html	Exploit
http://seclists.org/fulldisclosure/2014/Dec/135	Exploit
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.3:::::::*
	cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.4:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.1.1:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.1.2:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2.1:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2.2:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2.3:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.3.0:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.3.1:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.3.2:b3::::::

History

No history.

Information

Published : 2015-01-20 15:59

Updated : 2024-02-04 18:35

NVD link : CVE-2014-8790

Mitre link : CVE-2014-8790

CVE.ORG link : CVE-2014-8790

JSON object : View

Products Affected

cagintranetworks

getsimple_cms

get-simple

getsimple_cms

CWE

NVD-CWE-Other

{"id": "CVE-2014-8790", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-01-20T15:59:02.767", "references": [{"url": "http://get-simple.info/start/changelog/", "source": "cve@mitre.org"}, {"url": "http://karmainsecurity.com/KIS-2014-17", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2014/Dec/135", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944", "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter."}, {"lang": "es", "value": "Vulnerabilidad de entidad externa XML (XXE) en admin/api.php en GetSimple CMS 3.1.1 hasta 3.3.x anterior a 3.3.5 Beta 1, cuando est\u00e1 en ciertas configuraciones, permite a atacantes remotos leer ficheros arbitrarios a trav\u00e9s del par\u00e1metro data."}], "lastModified": "2018-10-30T16:27:48.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22530D96-CE49-4675-83C5-066547BE3C52"}, {"criteria": "cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9BF62238-8CC4-47CD-A86A-B8DFC672AF71"}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "733282CB-3E2E-4E12-AF47-6A9EA4807C6E"}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5D8A854-9344-4063-85BF-1C773B33EADE"}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15806A00-25E7-404A-9E8B-D74DCD847275"}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CDD52948-4B08-4582-8E8B-C1E9FA2989B2"}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B64BEF7-F4F8-4B6B-8426-8D3A7365996D"}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF77D84A-9212-4CE9-89D5-3205CD841FCF"}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5201DE3-6BF1-4634-9B61-F486C444FF01"}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93A26D2C-5F0F-4EEA-B9AB-31ADCC5CD42A"}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.3.2:b3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EEEA76C0-5C52-4AE6-B97F-AC5DF4D38AAF"}], "operator": "OR"}]}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/611.html\" target=\"_blank\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "sourceIdentifier": "cve@mitre.org"}