NVD Vulnerability Detail

CVE-2019-9692

Summary	class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
Publication Date	March 12, 2019, 3:29 a.m.
Registration Date	Jan. 26, 2021, 11:45 a.m.
Last Update	Nov. 21, 2024, 1:52 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:cmsmadesimple:cms_made_simple::::::::					2.2.10

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/152269/CMS-Made-Simple-CMSMS-Showtime2-File-Upload-Remote-Command-Execution.html	Exploit Third Party Advisory VDB Entry
2	http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47	Patch Vendor Advisory
3	http://www.rapid7.com/db/modules/exploit/multi/http/cmsms_showtime2_rce	Third Party Advisory
4	https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285	Vendor Advisory
5	https://www.exploit-db.com/exploits/46546/	Exploit Third Party Advisory VDB Entry
6	https://www.exploit-db.com/exploits/46627/	Exploit Third Party Advisory VDB Entry
7	http://packetstormsecurity.com/files/152269/CMS-Made-Simple-CMSMS-Showtime2-File-Upload-Remote-Command-Execution.html	Exploit Third Party Advisory VDB Entry
8	https://www.exploit-db.com/exploits/46627/	Exploit Third Party Advisory VDB Entry
9	https://www.exploit-db.com/exploits/46546/	Exploit Third Party Advisory VDB Entry
10	https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285	Vendor Advisory
11	http://www.rapid7.com/db/modules/exploit/multi/http/cmsms_showtime2_rce	Third Party Advisory
12	http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47	Patch Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-434	危険なタイプのファイルの無制限アップロード	https://cwe.mitre.org/data/definitions/434.html

JVN Vulnerability Information

CMS Made Simple における危険なタイプのファイルの無制限アップロードに関する脆弱性

Title	CMS Made Simple における危険なタイプのファイルの無制限アップロードに関する脆弱性
Summary	CMS Made Simple (CMSMS) には、危険なタイプのファイルの無制限アップロードに関する脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 6, 2019, midnight
Registration Date	April 9, 2019, 2:15 p.m.
Last Update	April 9, 2019, 2:15 p.m.

Affected System

CMS Made Simple

CMS Made Simple 2.2.10 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-9692	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9692
2	CVE-2019-9692	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9692
National Vulnerability Database (NVD)
3	CVE-2019-9692	https://nvd.nist.gov/vuln/detail/CVE-2019-9692
4	CVE-2019-9692	https://nvd.nist.gov/vuln/detail/CVE-2019-9692

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-434	https://cwe.mitre.org/data/definitions/434.html
2	CWE-434	https://cwe.mitre.org/data/definitions/434.html

ベンダー情報

No	Name	URL
CMS Made Simple
1	(root)/trunk/lib/class.showtime2_image.php - リビジョン 14 → 47	http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47
2	(root)/trunk/lib/class.showtime2_image.php - リビジョン 14 → 47	http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47
3	Announcing CMS Made Simple v2.2.10 - Spuzzum	https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285
4	Announcing CMS Made Simple v2.2.10 - Spuzzum	https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285

Change Log

No	Changed Details	Date of change
1	[2019年04月09日] 掲載	April 9, 2019, 2:15 p.m.