CVE-2018-10086

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Post Reply
anthon
New Member
New Member
Posts: 2
Joined: Wed Jun 20, 2018 7:23 am

CVE-2018-10086

Post by anthon »

What is the status on this?

Cheers, Christian.
User avatar
velden
Dev Team Member
Dev Team Member
Posts: 3483
Joined: Mon Nov 28, 2011 9:29 am
Location: The Netherlands

Re: CVE-2018-10086

Post by velden »

The description is rather vague and I don't see how it can be a vulnerability.

Note that in general we don't consider it a vulnerability when an admin user can do admin things.

Please let me know if I'm missing something obvious.
anthon
New Member
New Member
Posts: 2
Joined: Wed Jun 20, 2018 7:23 am

Re: CVE-2018-10086

Post by anthon »

I'm probably not the right person to judge the implications. But if the vulnerabilities are only applicable to logged in users in the admin or designer groups, I also fail to see the problem. Since these users will already be allowed execute more or less arbitrary php code through other means.

Thanks for the answer.
User avatar
velden
Dev Team Member
Dev Team Member
Posts: 3483
Joined: Mon Nov 28, 2011 9:29 am
Location: The Netherlands

Re: CVE-2018-10086

Post by velden »

anthon wrote:I'm probably not the right person to judge the implications. But if the vulnerabilities are only applicable to logged in users in the admin or designer groups, I also fail to see the problem. Since these users will already be allowed execute more or less arbitrary php code through other means.

Thanks for the answer.
That's exactly what we understand from it too.
It's a pity those reports popup regularly but we don't have time to reply to every one of them (the 'invalid' ones I mean).

However, if you think we might have missed an important vulnerability it's ok to ask about it of course.
User avatar
creopard
Forum Members
Forum Members
Posts: 47
Joined: Fri Nov 10, 2017 10:25 am
Location: .de
Contact:

Re: CVE-2018-10086

Post by creopard »

The different CVEs read rather nicely:
https://github.com/itodaro/cve/blob/master/README.md

You should at least consider adding the suggested fixes.
They are probably not really severe, but it would round up the upcoming version 2.3 just nicely :D
Post Reply

Return to “CMSMS Core”