CVE-2017-6072 Cmsmadesimple CVE debrief

Who should care

Administrators and security teams running CMS Made Simple 1.x with the Form Builder component, especially where exposed admin or form data could reveal sensitive information. Hosting providers and managed service teams should also check for affected customer deployments.

Technical summary

The NVD record describes a confidentiality-only issue (CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). It lists Form Builder versions up to 0.8.1.5 as vulnerable and also maps CMS Made Simple versions up to 1.12.2. The CVE description states that remote attackers can conduct information-disclosure attacks via defaultadmin.

Defensive priority

Medium. The score is 5.3 and the impact is limited to confidentiality, but the attack is network-reachable and requires neither authentication nor user interaction.

Recommended defensive actions

• Identify any CMS Made Simple deployments that include the Form Builder component.
• Verify whether Form Builder is at version 0.8.1.5 or earlier and upgrade to 0.8.1.6 or later.
• Check whether CMS Made Simple itself is within the vulnerable range listed by NVD (up to 1.12.2) and move to a non-vulnerable release.
• Review administrative exposure around defaultadmin and remove unnecessary access paths.
• Audit logs and application data for signs that sensitive information may have been exposed.
• Retest after remediation to confirm the vulnerable component versions are no longer present.

Evidence notes

The CVE description supplied with the record states that CMS Made Simple version 1.x Form Builder before 0.8.1.6 allows remote information disclosure via defaultadmin. The NVD metadata maps the issue to CWE-200 and provides vulnerable CPE ranges for Form Builder up to 0.8.1.5 and CMS Made Simple up to 1.12.2. A third-party advisory reference is also listed in the record.

Official resources