CVE-2014-8790 - OpenCVE

XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Get-simple	Getsimple Cms
Cagintranetworks	Getsimple Cms

Configuration 1 [-]

OR	cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.3:::::::*
	cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.4:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.1.1:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.1.2:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2.1:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2.2:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2.3:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.3.0:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.3.1:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.3.2:b3::::::

References

Link	Resource
http://get-simple.info/start/changelog/
http://karmainsecurity.com/KIS-2014-17	Exploit
http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html	Exploit
http://seclists.org/fulldisclosure/2014/Dec/135	Exploit
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2015-01-20T15:00:00

Updated: 2015-01-20T14:57:00

Reserved: 2014-11-13T00:00:00

Link: CVE-2014-8790

JSON object: View

NVD Information

Status : Analyzed

Published: 2015-01-20T15:59:02.767

Modified: 2018-10-30T16:27:48.750

Link: CVE-2014-8790

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-10-28T00:00:00", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-01-20T14:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20141231 [KIS-2014-17] GetSimple CMS <= 3.3.4 (api.php) XML External Entity Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Dec/135"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://get-simple.info/start/changelog/"}, {"tags": ["x_refsource_MISC"], "url": "http://karmainsecurity.com/KIS-2014-17"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-8790", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20141231 [KIS-2014-17] GetSimple CMS <= 3.3.4 (api.php) XML External Entity Vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Dec/135"}, {"name": "http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html"}, {"name": "http://get-simple.info/start/changelog/", "refsource": "CONFIRM", "url": "http://get-simple.info/start/changelog/"}, {"name": "http://karmainsecurity.com/KIS-2014-17", "refsource": "MISC", "url": "http://karmainsecurity.com/KIS-2014-17"}, {"name": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944", "refsource": "CONFIRM", "url": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-8790", "datePublished": "2015-01-20T15:00:00", "dateReserved": "2014-11-13T00:00:00", "dateUpdated": "2015-01-20T14:57:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "22530D96-CE49-4675-83C5-066547BE3C52", "vulnerable": true}, {"criteria": "cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "9BF62238-8CC4-47CD-A86A-B8DFC672AF71", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "733282CB-3E2E-4E12-AF47-6A9EA4807C6E", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "B5D8A854-9344-4063-85BF-1C773B33EADE", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2:*:*:*:*:*:*:*", "matchCriteriaId": "15806A00-25E7-404A-9E8B-D74DCD847275", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "CDD52948-4B08-4582-8E8B-C1E9FA2989B2", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "5B64BEF7-F4F8-4B6B-8426-8D3A7365996D", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "BF77D84A-9212-4CE9-89D5-3205CD841FCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "B5201DE3-6BF1-4634-9B61-F486C444FF01", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "93A26D2C-5F0F-4EEA-B9AB-31ADCC5CD42A", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.3.2:b3:*:*:*:*:*:*", "matchCriteriaId": "EEEA76C0-5C52-4AE6-B97F-AC5DF4D38AAF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter."}, {"lang": "es", "value": "Vulnerabilidad de entidad externa XML (XXE) en admin/api.php en GetSimple CMS 3.1.1 hasta 3.3.x anterior a 3.3.5 Beta 1, cuando est\u00e1 en ciertas configuraciones, permite a atacantes remotos leer ficheros arbitrarios a trav\u00e9s del par\u00e1metro data."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/611.html\" target=\"_blank\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "id": "CVE-2014-8790", "lastModified": "2018-10-30T16:27:48.750", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-01-20T15:59:02.767", "references": [{"source": "cve@mitre.org", "url": "http://get-simple.info/start/changelog/"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://karmainsecurity.com/KIS-2014-17"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Dec/135"}, {"source": "cve@mitre.org", "url": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}