CVE-2019-9060 – This vulnerability in CMS Made Simple allows un... (How to Fix)

Q: What is the severity of CVE-2019-9060?

CVE-2019-9060 has a CVSS score of 7.5 (HIGH). This vulnerability in CMS Made Simple allows unauthenticated attackers to perform path traversal attacks, potentially reading arbitrary files on the server. It affects CMS Made Simple installations using vulnerable versions of the CGExtensions module. Attackers can exploit this without authentication to access sensitive system files.

📋 TL;DR

This vulnerability in CMS Made Simple allows unauthenticated attackers to perform path traversal attacks, potentially reading arbitrary files on the server. It affects CMS Made Simple installations using vulnerable versions of the CGExtensions module. Attackers can exploit this without authentication to access sensitive system files.

💻 Affected Systems

Products:

CMS Made Simple

Versions: 2.2.8 and earlier versions

Operating Systems: All operating systems running CMS Made Simple

Default Config Vulnerable: ⚠️ Yes

Notes: Affects installations with the CGExtensions module enabled, which is commonly used.

📦 What is this software?

Cms Made Simple by Cmsmadesimple

View all CVEs affecting Cms Made Simple →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive configuration files, database credentials, or other critical system files leading to further exploitation.

🟠

Likely Case

Unauthorized access to sensitive files containing configuration data, user information, or other application data.

🟢

If Mitigated

Limited impact with proper file permissions and web server configuration restricting access to sensitive directories.

🌐 Internet-Facing: HIGH - Exploitable without authentication and publicly accessible web applications are common targets.

🏢 Internal Only: MEDIUM - Internal applications still vulnerable but attack surface is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple path traversal exploitation with publicly available details in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.10

Vendor Advisory: https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum

Restart Required: No

Instructions:

1. Backup your CMS Made Simple installation and database. 2. Download CMS Made Simple 2.2.10 or later from the official website. 3. Replace the vulnerable files with patched versions. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Disable CGExtensions module

all

Temporarily disable the vulnerable CGExtensions module to prevent exploitation

Navigate to CMS admin panel > Extensions > Modules > CGExtensions > Disable

Restrict file access via web server

linux

Configure web server to block access to vulnerable PHP files

Add to .htaccess: <Files "action.setdefaulttemplate.php"> Order Allow,Deny Deny from all </Files>
Add to .htaccess: <Files "action.showmessage.php"> Order Allow,Deny Deny from all </Files>

🧯 If You Can't Patch

Implement strict input validation and sanitization for all file path parameters
Apply web application firewall rules to block path traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check if CMS Made Simple version is 2.2.8 or earlier and CGExtensions module is enabled

Check Version:

Check admin panel or look for version in CMS configuration files

Verify Fix Applied:

Verify CMS version is 2.2.10 or later and test path traversal attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Multiple requests to action.setdefaulttemplate.php or action.showmessage.php with suspicious parameters
Requests containing '../' or similar path traversal patterns in parameters

Network Indicators:

Unusual file access patterns to non-web directories
Requests attempting to access known sensitive files

SIEM Query:

web_access_logs | where url contains "action.setdefaulttemplate.php" or url contains "action.showmessage.php" | where parameters contains "../" or parameters contains "..\\"

📊 Metadata

CVE ID: CVE-2019-9060

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: September 17, 2021

Last Updated: November 21, 2024

🔗 References

http://dev.cmsmadesimple.org/project/changelog/5819 Release Notes,Vendor Advisory
https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285 Vendor Advisory
https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg Vendor Advisory
https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum Vendor Advisory
http://dev.cmsmadesimple.org/project/changelog/5819 Release Notes,Vendor Advisory
https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285 Vendor Advisory
https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg Vendor Advisory
https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9060, you might also want to check these: