CVE-2018-10082

Name of the Vulnerable Software and Affected Versions: CMS Made Simple (CMSMS) versions prior to 2.2.8

Description: The issue allows physical path leakage through various means, including an invalid page value in the /index.php?page= parameter, a crafted URI starting with /index.php?mact=Search, or direct requests to specific PHP files such as /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task.php.

Recommendations: For CMS Made Simple (CMSMS) versions prior to 2.2.8, update to version 2.2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, and /lib/tasks/class.CmsSecurityCheck.task.php files until a patch is available. Avoid using crafted URIs starting with /index.php?mact=Search in the affected API endpoint until the issue is resolved.