An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
Recent assessments:
Leafry at January 18, 2021 11:27pm UTC reported:
This exploit is ok. When running on my attack box I had to modify the code. Not the worse case. Just a few commands threw syntax errors. In the end the CVE was able to provide a salt and hash that gave me credentials to get into the box.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3