PatchSiren cyber security CVE debrief
CVE-2017-6071 Cmsmadesimple CVE debrief
CVE-2017-6071 is a remotely reachable information-disclosure issue in CMS Made Simple Form Builder, triggered through exportxml. NVD rates it as medium severity and identifies low confidentiality impact with no integrity or availability impact. The supplied NVD record also lists affected CMS Made Simple and Form Builder version ranges, so version inventory matters for both components.
- Vendor
- Cmsmadesimple
- Product
- CVE-2017-6071
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-21
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-21
- Advisory updated
- 2026-05-13
Who should care
Administrators and owners of CMS Made Simple deployments, especially sites using the Form Builder component, should review their installed versions and update promptly. Security teams that track externally reachable web applications should treat this as a disclosure issue affecting confidential data exposure rather than service disruption.
Technical summary
The CVE description states that CMS Made Simple version 1.x Form Builder before 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via exportxml. NVD assigns CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N and CWE-200, indicating a network-accessible flaw with no privileges or user interaction required and only confidentiality impact. The NVD CPE data also marks CMS Made Simple versions up to 1.12.2 and Form Builder up to 0.8.1.5 as vulnerable.
Defensive priority
Medium. The issue is unauthenticated and network-accessible, but the published impact is limited to information disclosure. Prioritize it if the affected instance is internet-facing or may contain sensitive content.
Recommended defensive actions
- Upgrade CMS Made Simple Form Builder to 0.8.1.6 or later.
- Review the installed CMS Made Simple version against the affected CPE range and apply the appropriate vendor update.
- Inventory all CMS Made Simple instances to confirm whether Form Builder is deployed and exposed.
- Check logs and application telemetry for unexpected exportxml access patterns.
- Assess whether any sensitive data may have been exposed and rotate or revoke credentials if exposure is suspected.
Evidence notes
This debrief is based only on the supplied CVE/NVD corpus and the linked official references. The primary evidence is the NVD description and metadata, which identify a remote information-disclosure issue via exportxml, CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, CWE-200, and vulnerable CPE entries for CMS Made Simple Form Builder and CMS Made Simple. The linked product page and third-party advisory are cited as references only; no exploit details are included here.
Official resources
-
CVE-2017-6071 CVE record
CVE.org
-
CVE-2017-6071 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
CVE published on 2017-02-21. The supplied NVD record was last modified on 2026-05-13. No KEV entry was provided in the supplied timeline.