CVE-2019-9053

Name of the Vulnerable Software and Affected Versions CMS Made Simple versions 2.2.8 through 2.2.9

Description An issue was discovered that allows unauthenticated blind time-based SQL injection via the m1 idlist parameter in the News module. This can be achieved through a crafted URL. The issue is related to SQL injection and has been reportedly exploited in real-world scenarios, with examples provided on platforms like TryHackMe.

Recommendations For CMS Made Simple versions 2.2.8 through 2.2.9, consider updating to a version newer than 2.2.9 to resolve the issue. As a temporary workaround, consider restricting access to the News module until a patch is available. Avoid using the m1 idlist parameter in crafted URLs to minimize the risk of exploitation.