CVE-2019-9693 Information

Description

In CMS Made Simple (CMSMS) before 2.2.10 an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id) _inputshow (parameter show_id) _Getshowinfo (parameter show_id) _Getpictureinfo (parameter picture_id) _AdjustNameSeq (parameter shownumber) _Updatepicture (parameter picture_id) and _Deletepicture (parameter picture_id).

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=2Ftrunk2Flib2Fclass.showtime2_data.php&rev=47 https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8