Security question about 2.2.5 release

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Post Reply
bmartin
New Member
New Member
Posts: 1
Joined: Mon Dec 18, 2017 6:02 pm

Security question about 2.2.5 release

Post by bmartin »

Hi Team,

Recently, MITRE assigned two CVE IDs for issues related to the 2.2.5 release [1] [2]. The first, CVE-2017-17734 [3] is simply described as "CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions." The second, CVE-2017-17735 [4] is described as "CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies."

Given the wording of your release announcement [1], it isn't obvious if these fixed true vulnerabilities or were defense-in-depth enhancements. Can you clarify which they are?

Thanks,

Brian

[1] viewtopic.php?f=1&t=77737
[2] https://www.cmsmadesimple.org/2017/12/A ... 2.2.5-Wawa
[3] http://cve.mitre.org/cgi-bin/cvename.cg ... 2017-17734
[4] http://cve.mitre.org/cgi-bin/cvename.cg ... 2017-17735

p.s. https://www.cmsmadesimple.org/support/options/ has an HTML typo so (TM) is not rendering: "Although CMS Made Simple&tm; is freely"
Top
Post Reply

Return to “CMSMS Core”