Skip to main content

Incorrect Permission Assignment for Critical Resource

CVE-2018-10518

Severity Medium
Score 6.5/10

Summary

In CMS Made Simple (CMSMS) through 2.2.7, the "file delete" operation in the admin dashboard contains an arbitrary file deletion vulnerability that can cause DoS, exploitable by an admin user, because the attacker can remove all lib/ files in all directories.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • HIGH
  • NONE
  • HIGH

CWE-732 - Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

Advisory Timeline

  • Published