Hello sir/madam!

I am Binit Ghimire. I just discovered a stored/persistent cross-site scripting
(XSS) vulnerability in the Email Address area in CMS Made Simple.

When you login to the Admin Console of CMS Made Simple, you need to click on "My
Preferences" and then click on "My Account" to reach your account settings. Now,
in the "My Account" page, you have to enter the following XSS payload:
"><svg/onload=alert(1)>"@x.y
You can see I have used " and " to enclose the payload to make it look like the
username in the email and at the end, there's the general email format: @x.y.

Now, you have to click on the "Submit" button to save the changes and you will
see the XSS payload getting executed along with the message "User account has
been updated." which means the malicious email XSS payload has been stored in
the database resulting in a persistent execution of the payload.

The XSS payload will be executed every time you refresh or open the "My Account"
page.

Since this is a Stored Cross-site Scripting vulnerability, it could lead to
different issues in the CMS.

This vulnerability is present in the latest version of CMS Made Simple (2.2.10)
and all the previous versions of the CMSMS platform.

I hope you would fix this vulnerability in the future versions of CMS Made
Simple.

Thanks,
Binit Ghimire