PatchSiren cyber security CVE debrief
CVE-2017-6070 Cmsmadesimple CVE debrief
CVE-2017-6070 is a critical remote code execution issue in CMS Made Simple Form Builder. The published description says attackers could execute PHP code through the cntnt01fbrp_forma_form_template parameter in admin_store_form. NVD maps the issue to Form Builder versions through 0.8.1.5 and CMS Made Simple versions through 1.12.2.
- Vendor
- Cmsmadesimple
- Product
- CVE-2017-6070
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-21
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-21
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams running CMS Made Simple sites, especially those using the Form Builder module or older CMS Made Simple releases, should treat this as urgent.
Technical summary
The CVE describes a server-side PHP code execution weakness in the Form Builder component. The vulnerable input is the cntnt01fbrp_forma_form_template parameter handled by admin_store_form. NVD’s vulnerability metadata associates the issue with cmsmadesimple:form_builder versions up to 0.8.1.5 and cmsmadesimple:cms_made_simple versions up to 1.12.2. The record’s CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable impact with no privileges or user interaction required.
Defensive priority
Critical / urgent. This is a network-reachable code execution flaw with high confidentiality, integrity, and availability impact.
Recommended defensive actions
- Upgrade CMS Made Simple Form Builder to version 0.8.1.6 or later, per the vulnerability description.
- If you run affected CMS Made Simple releases, move to a non-vulnerable version beyond the NVD-listed affected range.
- Restrict access to administrative interfaces and ensure only trusted administrators can reach admin functions.
- Review application and web-server logs for unexpected requests targeting admin_store_form or the cntnt01fbrp_forma_form_template parameter.
- Inspect affected hosts for unexpected PHP files, template changes, or other signs of unauthorized code execution.
- If compromise is suspected, rotate application credentials and assess the broader environment for lateral movement or persistence.
- Use the official project and advisory references to verify the fixed release and any vendor guidance before reopening the service.
Evidence notes
Supported by the NVD CVE record and the MITRE-cited references. The CVE description states that CMS Made Simple Form Builder before 0.8.1.6 allows remote attackers to execute PHP code via cntnt01fbrp_forma_form_template in admin_store_form. NVD lists vulnerable CPE criteria for cmsmadesimple:form_builder up to 0.8.1.5 and cmsmadesimple:cms_made_simple up to 1.12.2. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The source corpus also lists a third-party advisory and a product reference URL.
Official resources
-
CVE-2017-6070 CVE record
CVE.org
-
CVE-2017-6070 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
CVE published on 2017-02-21T07:59:00.390Z and last modified on 2026-05-13T00:24:29.033Z. No KEV entry is provided in the supplied corpus.