Keerati T

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.1.6 **Description** A remote code execution issue exists, allowing attackers to inject arbitrary PHP code via the `timezone` parameter in step 4 of a fresh installation procedure, specifically in the /cmsms-2.1.6-install.php/index.php endpoint. **Recommendations** For CMS Made Simple version 2.1.6, avoid using the `timezone` parameter in the /cmsms-2.1.6-install.php/index.php endpoint until a fix is available. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.