CVE-2014-8790 - OpenCVE

XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cagintranetworks	Getsimple Cms
Get-simple	Getsimple Cms

Configuration 1 [-]

OR	cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.3:::::::*
	cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.4:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.1.1:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.1.2:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2.1:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2.2:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.2.3:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.3.0:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.3.1:::::::*
	cpe:2.3:a:get-simple:getsimple_cms:3.3.2:b3::::::

No data.

References

Link	Providers
http://get-simple.info/start/changelog/
http://karmainsecurity.com/KIS-2014-17
http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html
http://seclists.org/fulldisclosure/2014/Dec/135
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-01-20T15:00:00

Updated: 2024-08-06T13:26:02.694Z

Reserved: 2014-11-13T00:00:00

Link: CVE-2014-8790

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2015-01-20T15:59:02.767

Modified: 2018-10-30T16:27:48.750

Link: CVE-2014-8790

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-10-28T00:00:00", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-01-20T14:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20141231 [KIS-2014-17] GetSimple CMS <= 3.3.4 (api.php) XML External Entity Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Dec/135"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://get-simple.info/start/changelog/"}, {"tags": ["x_refsource_MISC"], "url": "http://karmainsecurity.com/KIS-2014-17"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-8790", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20141231 [KIS-2014-17] GetSimple CMS <= 3.3.4 (api.php) XML External Entity Vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Dec/135"}, {"name": "http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html"}, {"name": "http://get-simple.info/start/changelog/", "refsource": "CONFIRM", "url": "http://get-simple.info/start/changelog/"}, {"name": "http://karmainsecurity.com/KIS-2014-17", "refsource": "MISC", "url": "http://karmainsecurity.com/KIS-2014-17"}, {"name": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944", "refsource": "CONFIRM", "url": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:26:02.694Z"}, "title": "CVE Program Container", "references": [{"name": "20141231 [KIS-2014-17] GetSimple CMS <= 3.3.4 (api.php) XML External Entity Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2014/Dec/135"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://get-simple.info/start/changelog/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://karmainsecurity.com/KIS-2014-17"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-8790", "datePublished": "2015-01-20T15:00:00", "dateReserved": "2014-11-13T00:00:00", "dateUpdated": "2024-08-06T13:26:02.694Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "22530D96-CE49-4675-83C5-066547BE3C52", "vulnerable": true}, {"criteria": "cpe:2.3:a:cagintranetworks:getsimple_cms:3.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "9BF62238-8CC4-47CD-A86A-B8DFC672AF71", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "733282CB-3E2E-4E12-AF47-6A9EA4807C6E", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "B5D8A854-9344-4063-85BF-1C773B33EADE", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2:*:*:*:*:*:*:*", "matchCriteriaId": "15806A00-25E7-404A-9E8B-D74DCD847275", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "CDD52948-4B08-4582-8E8B-C1E9FA2989B2", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "5B64BEF7-F4F8-4B6B-8426-8D3A7365996D", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "BF77D84A-9212-4CE9-89D5-3205CD841FCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "B5201DE3-6BF1-4634-9B61-F486C444FF01", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "93A26D2C-5F0F-4EEA-B9AB-31ADCC5CD42A", "vulnerable": true}, {"criteria": "cpe:2.3:a:get-simple:getsimple_cms:3.3.2:b3:*:*:*:*:*:*", "matchCriteriaId": "EEEA76C0-5C52-4AE6-B97F-AC5DF4D38AAF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter."}, {"lang": "es", "value": "Vulnerabilidad de entidad externa XML (XXE) en admin/api.php en GetSimple CMS 3.1.1 hasta 3.3.x anterior a 3.3.5 Beta 1, cuando est\u00e1 en ciertas configuraciones, permite a atacantes remotos leer ficheros arbitrarios a trav\u00e9s del par\u00e1metro data."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/611.html\" target=\"_blank\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "id": "CVE-2014-8790", "lastModified": "2018-10-30T16:27:48.750", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-01-20T15:59:02.767", "references": [{"source": "cve@mitre.org", "url": "http://get-simple.info/start/changelog/"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://karmainsecurity.com/KIS-2014-17"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Dec/135"}, {"source": "cve@mitre.org", "url": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}