CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12022] Cross-site Scripting vulnerability in CMS Made Simple

avatar
Created By: Binit Ghimire (thebinitghimire)
Date Submitted: Fri Apr 19 16:35:32 -0400 2019

Assigned To:
Version: 2.2.10
CMSMS Version: 2.2.10
Severity: Trivial
Resolution: Accepted
State: Open
Summary:
Cross-site Scripting vulnerability in CMS Made Simple
Detailed Description:
Hello sir/madam!

I was able to discover a cross-site scripting (XSS) vulnerability in CMS Made
Simple File Manager.

When you go to "File Manager" under the "Content" section in CMS Made Simple
Admin Console, you will be able to see the files in the CMS. Now, you have to
select one of the files and click on the "Rename" button.

When it shows the "New name::" field, you need to type:
"onmouseover=alert(document.domain)//

Now, when you click on the "Rename" button to save the changes, the page will
reload and when you put your mouse pointer over the input field, it will execute
the XSS payload.

This cross-site scripting vulnerability exists in the latest version of CMS Made
Simple (2.2.10) and all versions below it.

I hope you would fix this vulnerability in the future versions of CMS Made
Simple as soon as possible.

Thanks,
Binit Ghimire


History

Comments
avatar 
Date: 2019-04-20 03:01
Posted By: Binit Ghimire (thebinitghimire)

I hope you would assign a CVE for this vulnerability affecting all the current
versions of CMS Made Simple!
avatar 
Date: 2019-04-25 13:42
Posted By: Binit Ghimire (thebinitghimire)

Today, the CVE Assignment Team assigned CVE-2019-11513 for this Reflected
Cross-site Scripting that I discovered in CMS Made Simple affecting all versions
of the CMSMS platform including the current released version 2.2.10 and below.

Find out more: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11513
Updates

Updated: 2020-11-03 14:56
resolution_id: 5 => 6
assigned_to_id: 106 => 100

Updated: 2019-04-20 03:03
assigned_to_id: 100 => 106

Updated: 2019-04-19 18:36
severity_id: 1 => 4

Updated: 2019-04-19 16:51
description: Hello sir/madam! I was able to discover a cross-site scripting (XSS) vulnerability in CMS Made Simple File Manager. When you go to "File Manager" under the "Content" section in CMS Made Simple Admin Console, you will be able to see the files in the => Hello sir/madam! I was able to discover a cross-site scripting (XSS) vulnerability in CMS Made Simple File Manager. When you go to "File Manager" under the "Content" section in CMS Made Simple Admin Console, you will be able to see the files in the

Updated: 2019-04-19 16:50
description: Hello sir/madam! I was able to discover a cross-site scripting (XSS) vulnerability in CMS Made Simple File Manager. When you go to "File Manager" under the "Content" section in CMS Made Simple Admin Console, you will be able to see the files in the => Hello sir/madam! I was able to discover a cross-site scripting (XSS) vulnerability in CMS Made Simple File Manager. When you go to "File Manager" under the "Content" section in CMS Made Simple Admin Console, you will be able to see the files in the

Updated: 2019-04-19 16:47
description: Hello sir/madam! I was able to discover a cross-site scripting (XSS) vulnerability in CMS Made Simple File Manager. When you go to "File Manager" under the "Content" section in CMS Made Simple Admin Console, you will be able to see the files in the => Hello sir/madam! I was able to discover a cross-site scripting (XSS) vulnerability in CMS Made Simple File Manager. When you go to "File Manager" under the "Content" section in CMS Made Simple Admin Console, you will be able to see the files in the
resolution_id: => 5