Arbitrary PHP Code Execution in CMS Made Simple (CMSMS) 2.1.6 via admin/editusertag.php

Arbitrary PHP Code Execution in CMS Made Simple (CMSMS) 2.1.6 via admin/editusertag.php

CVE-2017-8912 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is "a feature, not a bug.

Learn more about our User Device Pen Test.