CMS MADE SIMPLE FORGE

CMS Made Simple Core

Back to List

[#12002] Self-XSS vulnerability via Design Manager on CMSMS 2.2.10

Created By: Chi Tran (chitran)

Date Submitted: Sun Mar 24 23:41:02 -0400 2019

Assigned To:

Version: 2.2.10

CMSMS Version: 2.2.10

Severity: Trivial

Resolution: Fixed

State: Closed

Summary:

Self-XSS vulnerability via Design Manager on CMSMS 2.2.10

Detailed Description:

Hello CMSMS Team,

I am reaching out to report a Self XSS vulnerability via Design Manager feature
from CMS Made Simple version 2.2.10. An attacker can create a new template and
add payload into "Name" field.
Steps to reproduce:
- Navigate to Admin Dashboard
- Click on Layout -> Design Manager feature
- Click on "Create a new Template"
- In "Name" field, input payload: <svg/onload=alert(document.domain)>
- Click "Submit"
- After submitting, malicious script will be executed.

History

Date: 2020-03-19 06:15
Posted By: Rolf (rolf1)

Already fixed in svn

Updated: 2020-03-30 13:17
state: Open => Closed

Updated: 2020-03-19 06:15
resolution_id: => 7

CMSMS | CMS Made Simple

CMS MADE SIMPLE FORGE

CMS Made Simple Core

[#12002] Self-XSS vulnerability via Design Manager on CMSMS 2.2.10

History