CVE-2018-7448

Name of the Vulnerable Software and Affected Versions CMS Made Simple version 2.1.6

Description A remote code execution issue exists, allowing attackers to inject arbitrary PHP code via the timezone parameter in step 4 of a fresh installation procedure, specifically in the /cmsms-2.1.6-install.php/index.php endpoint.

Recommendations For CMS Made Simple version 2.1.6, avoid using the timezone parameter in the /cmsms-2.1.6-install.php/index.php endpoint until a fix is available. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.