OS Command Injection in CosCms
|Vulnerable Versions:||1.721 and probably prior|
|Advisory Publication:||February 13, 2013 [without technical details]|
|Vendor Notification:||February 13, 2013|
|Vendor Fix:||February 13, 2013|
|Public Disclosure:||March 6, 2013|
|Latest Update:||February 19, 2013|
|Vulnerability Type:||OS Command Injection [CWE-78]|
|CVSSv2 Base Score:||8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered vulnerability in CosCms, which can be exploited to execute arbitrary OS commands on web server where the vulnerable application is hosted.
|Upgrade to CosCms 1.822|
| High-Tech Bridge Advisory HTB23145 - https://www.immuniweb.com/advisory/HTB23145 - OS Command Injection in CosCms.|
 CosCms - http://www.coscms.org/ - CosCMS is a simple framework for building web application. It is intended for users, who wants some common modules, and a platform with a small code base which is easy to extend.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.