CVE-2024-57549

Name of the Vulnerable Software and Affected Versions CMSimple version 5.16

Description The issue allows a user to read the CMS source code by manipulating the file name in the file parameter of a GET request. This is due to incorrect restriction of the path name to a directory with limited access. An attacker can exploit this to gain unauthorized access to protected information by sending a specially crafted GET request.

Recommendations For CMSimple version 5.16, as a temporary workaround, consider restricting access to the file parameter in GET requests until a patch is available. Avoid using the file parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.