CMS Made Simple <= 1.2.2 (content_css.php) SQL Injection Vulnerability

Description:

CMS Made Simple contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ‘modules/TinyMCE/content_css.php’ script not properly sanitizing user-supplied input to the ‘templateid’ parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

References:

• CVE-2007-6656
• BID-27074
• EDB-4810

Disclosure Date:

December 30, 2007