CMS MADE SIMPLE FORGE

CMS Made Simple Core

Back to List

[#12003] Self-XSS vulnerability via My Account on CMSMS 2.2.10

Created By: Chi Tran (chitran)

Date Submitted: Mon Mar 25 00:06:06 -0400 2019

Assigned To:

Version: 2.2.10

CMSMS Version: 2.2.10

Severity: Trivial

Resolution: None

State: Open

Summary:

Self-XSS vulnerability via My Account on CMSMS 2.2.10

Detailed Description:

Hello CMSMS Team,

I am reaching out to report a Self XSS vulnerability via "My Account" section
from CMS Made Simple version 2.2.10. An attacker can execute a payload via
"Email Address" field:
Steps to reproduce:
- Navigate to Admin Dashboard
- Click on My Preferences-> My Account
- In "Email Address" field, input payload: <svg/onload=alert(document.domain)>
- Click "Submit"
- After submitting, malicious script will be executed.

History

Updated: 2019-03-25 00:06
resolution_id: => 5
severity_id: 12 => 4

CMSMS | CMS Made Simple

CMS MADE SIMPLE FORGE

CMS Made Simple Core

[#12003] Self-XSS vulnerability via My Account on CMSMS 2.2.10

History