CVE-2018-10086: Code Injection
First published: Fri Apr 13 2018(Updated: )
CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary code execution vulnerability in the admin dashboard because the implementation uses "eval('function testfunction'.rand()" and it is possible to bypass certain restrictions on these "testfunction" functions.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Simple CMS | <=2.2.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-10086?
CVE-2018-10086 is classified as a critical vulnerability due to its potential for arbitrary code execution.
How do I fix CVE-2018-10086?
To fix CVE-2018-10086, upgrade CMS Made Simple to version 2.2.8 or later.
What causes CVE-2018-10086?
CVE-2018-10086 is caused by the insecure use of the eval function in the CMS Made Simple admin dashboard.
Who is affected by CVE-2018-10086?
CVE-2018-10086 affects all installations of CMS Made Simple versions up to and including 2.2.7.
What can an attacker do with CVE-2018-10086?
An attacker can execute arbitrary code on the server through crafted input in the CMS Made Simple admin dashboard.
- agent/type
- agent/weakness
- agent/author
- agent/references
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cmsmadesimple
- canonical/simple cms
- version/simple cms/2.2.7