In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.16935
Percentile:
0.94658
CVSS Scoring
CVSS v3.1 Score: 9.8
Severity: CRITICAL
Mapped CWE(s)
-
CWE-94
: Improper Control of Generation of Code ('Code Injection')
All CAPEC(s)
-
CAPEC-242: Code Injection
-
CAPEC-35: Leverage Executable Code in Non-Executable Files
-
CAPEC-77: Manipulating User-Controlled Variables
CAPEC(s) with Mapped TTPs
-
CAPEC-35: Leverage Executable Code in Non-Executable Files
Mapped TTPs:
Mapped ATT&CK TTPs
-
T1027.006
: HTML Smuggling
Kill Chain: defense-evasion
-
T1027.009
: Embedded Payloads
Kill Chain: defense-evasion
-
T1564.009
: Resource Forking
Kill Chain: defense-evasion
Malware
APTs Threat Group Associations
Campaigns
Affected Products
- cpe:2.3:a:cmsmadesimple:cms_made_simple:2.1.6:*:*:*:*:*:*:*
← Back to Home