CVE-2019-9053

CMS Made Simple < 2.2.10 - SQL Injection

Severity Score

8.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.

Se ha descubierto un problema en CMS Made Simple 2.2.8. En el módulo News, mediante una URL manipulada, es posible lograr una inyección SQL ciega basada en tiempo mediante el parámetro m1_idlist.

CMS Made Simple versions prior to 2.2.10 suffer from a remote SQL injection vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-02-23 CVE Reserved
2019-03-26 CVE Published
2019-04-02 First Exploit
2024-08-04 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (32)

URL	Tag	Source

URL	Date	SRC
https://packetstorm.news/files/id/152356	2019-04-02
https://www.exploit-db.com/exploits/46635	2024-08-04
https://github.com/e-renna/CVE-2019-9053	2023-05-09
https://github.com/Mahamedm/CVE-2019-9053-Exploit-Python-3	2024-06-09
https://github.com/N3rdyN3xus/CVE-2019-9053	2024-08-09
https://github.com/ELIZEUOPAIN/CVE-2019-9053-CMS-Made-Simple-2.2.10---SQL-Injection-Exploit	2023-06-30
https://github.com/davcwikla/CVE-2019-9053-exploit	2023-11-26
https://github.com/kahluri/CVE-2019-9053	2023-08-07
https://github.com/fernandobortotti/CVE-2019-9053	2023-10-16
https://github.com/byrek/CVE-2019-9053	2023-11-20
https://github.com/im-suman-roy/CVE-2019-9053	2023-07-04
https://github.com/BjarneVerschorre/CVE-2019-9053	2023-11-30
https://github.com/pedrojosenavasperez/CVE-2019-9053-Python3	2022-12-14
https://github.com/FedericoTorres233/CVE-2019-9053-Fixed	2024-05-17
https://github.com/jtoalu/CTF-CVE-2019-9053-GTFOBins	2024-08-09
https://github.com/Doc0x1/CVE-2019-9053-Python3	2023-10-16
https://github.com/TeymurNovruzov/CVE-2019-9053-python3-remastered	2024-06-25
https://github.com/Jason-Siu/CVE-2019-9053-Exploit-in-Python-3	2024-02-21
https://github.com/SUNNYSAINI01001/46635.py_CVE-2019-9053	2024-01-03
https://github.com/n3rdh4x0r/CVE-2019-9053	2024-11-18
https://github.com/maraspiras/46635.py	2021-12-09
https://github.com/zmiddle/Simple_CMS_SQLi	2022-10-08
https://github.com/bthnrml/guncel-cve-2019-9053.py	2023-07-09
https://github.com/Dh4nuJ4/SimpleCTF-UpdatedExploit	2024-06-21
https://github.com/Azrenom/CMS-Made-Simple-2.2.9-CVE-2019-9053	2024-09-21
https://github.com/louisthedonothing/CVE-2019-9053	2024-12-02
https://github.com/Yzhacker/CVE-2019-9053-CMS46635-python3	2025-02-14
https://github.com/hf3cyber/CMS-Made-Simple-2.2.9-Unauthenticated-SQL-Injection-Exploit-CVE-2019-9053-	2025-03-05
https://github.com/so1icitx/CVE-2019-9053	2025-03-31
http://packetstormsecurity.com/files/152356/CMS-Made-Simple-SQL-Injection.html	2024-08-04

URL	Date	SRC

URL	Date	SRC
https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg	2019-04-24
https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum	2019-04-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cmsmadesimple Search vendor "Cmsmadesimple"		Cms Made Simple Search vendor "Cmsmadesimple" for product "Cms Made Simple"				2.2.8 Search vendor "Cmsmadesimple" for product "Cms Made Simple" and version "2.2.8"		-		Affected