CVE-2007-5441 Information

Description

CMS Made Simple 1.1.3.1 does not check the permissions assigned to users in some situations which allows remote authenticated users to perform some administrative actions as demonstrated by (1) adding a user via a direct request to admin/adduser.php and (2) reading the admin log via an \admin/adminlog.php?page=1\ request.

Reference

http://blog.cmsmadesimple.org/2007/10/07/announcing-cms-made-simple-1141/ http://osvdb.org/45481 http://securityreason.com/securityalert/3223 http://www.securityfocus.com/archive/1/481984/100/0/threaded