CVE-2024-27622
📋 TL;DR
This CVE describes a remote code execution vulnerability in CMS Made Simple's User Defined Tags module. Authenticated administrators can inject arbitrary PHP code due to insufficient input sanitization, potentially leading to complete system compromise. Only CMS Made Simple installations with the vulnerable module are affected.
💻 Affected Systems
- CMS Made Simple
📦 What is this software?
Cms Made Simple by Cmsmadesimple
Cms Made Simple by Cmsmadesimple
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise: attacker gains shell access, installs persistent backdoors, exfiltrates sensitive data, and uses the server for further attacks.
Likely Case
Attacker modifies website content, steals database credentials, installs cryptocurrency miners or malware, and establishes persistence.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized content changes that can be detected and reverted.
🎯 Exploit Status
Exploit requires administrative credentials. Multiple public proof-of-concept exploits exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.22
Vendor Advisory: https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=86585
Restart Required: No
Instructions:
1. Backup your CMS Made Simple installation and database. 2. Download CMS Made Simple 2.2.22 from the official website. 3. Replace all files except config.php and uploads directory. 4. Run the upgrade script if prompted. 5. Verify the User Defined Tags module is updated.
🔧 Temporary Workarounds
Disable User Defined Tags Module
allTemporarily disable the vulnerable module until patching is possible
Navigate to Extensions > Modules in CMS admin panel, find 'User Defined Tags', click Disable
Restrict Administrative Access
linuxLimit administrative access to trusted IP addresses only
Add to .htaccess: Order deny,allow
Deny from all
Allow from 192.168.1.0/24
🧯 If You Can't Patch
- Implement strict access controls: limit administrative accounts to essential personnel only and enforce strong passwords with MFA
- Enable comprehensive logging and monitoring: monitor for unusual PHP execution patterns and unauthorized file modifications
🔍 How to Verify
Check if Vulnerable:
Check CMS version in admin panel or look for /admin/version.php. If version is 2.2.19 or 2.2.21 with User Defined Tags module enabled, system is vulnerable.Check Version:
Check /admin/version.php or look at CMS version in admin dashboardVerify Fix Applied:
After updating, verify version shows 2.2.22 or higher in admin panel. Test User Defined Tags functionality to ensure it works without allowing PHP code injection.📡 Detection & Monitoring
Log Indicators:
- Unusual PHP execution in User Defined Tags module
- Administrative account logins from unexpected locations
- File modifications in CMS directories
Network Indicators:
- Unexpected outbound connections from web server
- Large data transfers from database server
SIEM Query:
source="web_logs" AND ("User Defined Tags" OR "eval(" OR "system(") AND status=200🔗 References
- https://github.com/capture0x/CMSMadeSimple/
- https://packetstormsecurity.com/files/177241/CMS-Made-Simple-2.2.19-Remote-Code-Execution.html
- https://github.com/capture0x/CMSMadeSimple/
- https://packetstormsecurity.com/files/177241/CMS-Made-Simple-2.2.19-Remote-Code-Execution.html
- https://www.vicarius.io/vsociety/posts/pwning-cmsms-via-user-defined-tags-for-fun-and-learning-cve-2024-27622-27623
