CVE-2019-11231
CVE-2019-11231 is a critical-severity vulnerability in Get-simple Getsimple Cms with a CVSS 3.x base score of 9.8. Its EPSS exploit-prediction score of 72% places it in the 99th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 5.0
- EPSS exploit prediction: 72% (99th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-22
- Affected product: Get-simple Getsimple Cms
- Published:
- Last modified:
Description
An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be bypassed. According to the official documentation for installation step 10, an admin is required to upload all the files, including the .htaccess files, and run a health check. However, what is overlooked is that the Apache HTTP Server by default no longer enables the AllowOverride directive, leading to data/users/admin.xml password exposure. The passwords are hashed but this can be bypassed by starting with the data/other/authorization.xml API key. This allows one to target the session state, since they decided to roll their own implementation. The cookie_name is crafted information that can be leaked from the frontend (site name and version). If a someone leaks the API key and the admin username, then they can bypass authentication. To do so, they need to supply a cookie based on an SHA-1 computation of this known information. The vulnerability exists in the admin/theme-edit.php file. This file checks for forms submissions via POST requests, and for the csrf nonce. If the nonce sent is correct, then the file provided by the user is uploaded. There is a path traversal allowing write access outside the jailed themes directory root. Exploiting the traversal is not necessary because the .htaccess file is ignored. A contributing factor is that there isn't another check on the extension before saving the file, with the assumption that the parameter content is safe. This allows the creation of web accessible and executable files with arbitrary content.
Frequently asked questions
- What is CVE-2019-11231?
- An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be bypassed. According to the official documentation for installation step 10, an admin is required to upload all the files, including the .htaccess files, and run a health check. However, what is overlooked is that the Apache HTTP Server by default no longer enables the AllowOverride directive, leading to data/users/admin.xml password exposure. The passwords are hashed but this can be bypassed by starting with the data/other/authorization.xml API key. This allows one to target the session state, since they decided to roll their own implementation. The cookie_name is crafted information that can be leaked from the frontend (site name and version). If a someone leaks the API key and the admin username, then they can bypass authentication. To do so, they need to supply a cookie based on an SHA-1 computation of this known information. The vulnerability exists in the admin/theme-edit.php file. This file checks for forms submissions via POST requests, and for the csrf nonce. If the nonce sent is correct, then the file provided by the user is uploaded. There is a path traversal allowing write access outside the jailed themes directory root. Exploiting the traversal is not necessary because the .htaccess file is ignored. A contributing factor is that there isn't another check on the extension before saving the file, with the assumption that the parameter content is safe. This allows the creation of web accessible and executable files with arbitrary content.
- How severe is CVE-2019-11231?
- CVE-2019-11231 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-11231 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 72% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2019-11231?
- CVE-2019-11231 affects Get-simple Getsimple Cms. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2019-11231?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2019-11231 published?
- CVE-2019-11231 was published on 2019-05-22 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/152961/GetSimpleCMS-3.3.15-Remote-Code-Execution.html
- https://ssd-disclosure.com/?p=3899&preview=true
Affected products (1)
- cpe:2.3:a:get-simple:getsimple_cms:*:*:*:*:*:*:*:*
More vulnerabilities in Get-simple Getsimple Cms
- CVE-2022-41544 — Critical (CVSS 9.8): GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file…
- CVE-2018-17103 — High (CVSS 8.8): An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's…
- CVE-2014-8722 — High (CVSS 7.5): GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1)…
- CVE-2020-23839 — Medium (CVSS 6.1): A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal…
- CVE-2013-1420 — Medium (CVSS 6.1): Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject…
- CVE-2018-16325 — Medium (CVSS 6.1): There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field.
All CVEs affecting Get-simple Getsimple Cms →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…