VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 5, 2014· Updated May 6, 2026

CVE-2014-2245

CVE-2014-2245

Description

SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in CMS Made Simple News module before 1.11.10 allows authenticated users with 'Modify News' permission to execute arbitrary SQL via the sortby parameter.

Vulnerability

The News module in CMS Made Simple (CMSMS) before version 1.11.10 contains a SQL injection vulnerability in the sortby parameter. The vulnerability is present in admin/moduleinterface.php and requires the user to have the "Modify News" permission. The issue was fixed in version 1.11.10, as noted in the changelog [3] and confirmed by the CVE assignment [2].

Exploitation

An attacker must be an authenticated user with the "Modify News" permission. The attacker can craft a malicious sortby parameter in a request to admin/moduleinterface.php. No other special network position or user interaction is required beyond authentication. The exact steps involve sending a GET or POST request with a SQL injection payload in the sortby parameter.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the underlying database. This can lead to information disclosure, modification, or deletion of data, depending on the database permissions. The attacker gains the ability to read or manipulate the CMS database, potentially compromising the entire site.

Mitigation

The vulnerability is fixed in CMS Made Simple version 1.11.10, released in February 2014 [3]. Users should upgrade to this version or later. No workarounds are mentioned in the available references. The vulnerability is not listed on the CISA KEV as of the publication date.

References
  1. CMS Made Simple SQL injection fixed in 1.11.10
  2. http://dev.cmsmadesimple.org/project/changelog/4602

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

66
  • Cmsmadesimple/Cmsmadesimple64 versions
    cpe:2.3:a:cmsmadesimple:cms_made_simple:*:*:*:*:*:*:*:*+ 63 more
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:*:*:*:*:*:*:*:*range: <=1.11.9
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.10.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.10.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.11.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.12.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.12.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.10:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.10.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.11:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.11.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.11.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.11.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.11.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.11.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.11.6:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.11.7:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.11.8:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cmsmadesimple:cms_made_simple:1.1.4:*:*:*:*:*:*:*
  • Simple Cms/Simple CMSllm-fuzzy
    Range: <1.11.10
  • Vincent Leclercq/Newsllm-fuzzy
    Range: <1.11.10

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.