CVE-2021-47734
Authenticated Local File Inclusion in CMSimple 5.4 Enables Remote Code Execution
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cmsimple | cmsimple | 5.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47734 is an authenticated local file inclusion (LFI) vulnerability in CMSimple version 5.4. It allows an attacker with valid credentials to manipulate PHP session files by changing the functions file path. This manipulation enables the attacker to upload malicious PHP code through session file upload mechanisms, leading to arbitrary code execution on the server. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the affected server, allowing an attacker to execute arbitrary code with the privileges of the web server. This can result in unauthorized access, data theft, server compromise, and potentially full control over the affected system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if your CMSimple 5.4 instance is vulnerable by checking for the presence of the authenticated local file inclusion vulnerability. You can monitor for suspicious POST requests that manipulate the 'functions_file' parameter or unusual PHP session file uploads. Using network monitoring tools, look for POST requests to the CMSimple login endpoint followed by requests that include directory traversal patterns like '..%2F' in parameters. Additionally, you can use the publicly available Python3 exploit script (from Resource 2) in a controlled environment to test if your system is vulnerable. Commands to monitor logs or traffic might include: 1) Using grep to find suspicious parameters in web server logs: `grep -i 'functions_file' /var/log/apache2/access.log` 2) Monitoring active sessions or PHP session files for unexpected modifications: `ls -lt /var/lib/php/sessions/` 3) Using network capture tools like tcpdump or Wireshark to filter HTTP POST requests to the CMSimple instance and inspect payloads for directory traversal patterns. Note that exploitation requires authentication, so monitoring for unusual authenticated sessions is also advised. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict access to the CMSimple 5.4 admin interface to trusted users only, as exploitation requires authentication. 2) Apply any available patches or updates from the CMSimple vendor to fix the vulnerability. 3) If patches are not available, consider disabling or restricting the vulnerable functionality related to the 'functions_file' parameter and session file handling. 4) Monitor and audit user activities and session file modifications closely. 5) Implement network-level protections such as web application firewalls (WAF) to detect and block attempts to exploit directory traversal or file inclusion attacks. 6) Change credentials and review user permissions to limit potential attacker access. 7) Consider isolating the CMSimple instance or taking it offline until a fix is applied. [1, 2]