CVE-2021-47735

Name of the Vulnerable Software and Affected Versions CMSimple version 5.4

Description The software contains an authenticated remote code execution issue that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and saving it through the template editing endpoint with a valid CSRF token. The vulnerable functionality involves the ability to modify template files. The API endpoint used for template editing requires a valid CSRF token. The vulnerable parameter is the content of the template file being edited.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the template editing functionality. Ensure valid CSRF tokens are implemented and verified for all template editing requests.