CMS Made Simple <= 1.2.2 (content_css.php) SQL Injection Vulnerability


CMS Made Simple contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ‘modules/TinyMCE/content_css.php’ script not properly sanitizing user-supplied input to the ‘templateid’ parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.


Disclosure Date:

December 30, 2007