CVE-2014-8790

XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
cagintranetworksgetsimple_cms
3.3.3
cagintranetworksgetsimple_cms
3.3.4
get-simplegetsimple_cms
3.1.1
get-simplegetsimple_cms
3.1.2
get-simplegetsimple_cms
3.2
get-simplegetsimple_cms
3.2.1
get-simplegetsimple_cms
3.2.2
get-simplegetsimple_cms
3.2.3
get-simplegetsimple_cms
3.3.0
get-simplegetsimple_cms
3.3.1
get-simplegetsimple_cms
3.3.2:b3
𝑥
= Vulnerable software versions
References
http://get-simple.info/start/changelog/
http://karmainsecurity.com/KIS-2014-17
http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html
http://seclists.org/fulldisclosure/2014/Dec/135
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944
http://get-simple.info/start/changelog/
http://karmainsecurity.com/KIS-2014-17
http://packetstormsecurity.com/files/129778/GetSimple-CMS-3.3.4-XML-External-Entity-Injection.html
http://seclists.org/fulldisclosure/2014/Dec/135
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944