CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12312] Stored XSS vulnerability in File Picker at CMSMS 2.2.14 and below

avatar
Created By: Binit Ghimire (thebinitghimire)
Date Submitted: Tue May 26 01:39:07 -0400 2020

Assigned To: Ruud van der Velden (ruudvdvelden)
Version: 2.2.14
CMSMS Version: 2.2.14
Severity: Minor
Resolution: Fixed
State: Closed
Summary:
Stored XSS vulnerability in File Picker at CMSMS 2.2.14 and below
Detailed Description:
Hello there,

Recently, I discovered a Stored XSS vulnerability in the File Picker area under
Extensions in CMS Made Simple Admin Console. I discovered this vulnerability
while testing for vulnerabilities in version 2.2.14 of the CMSMS platform.

Reproduction Steps:
Step 1. Login to the Admin Console.
Step 2. Click on "Extensions" and click on "File Picker".
Step 3. Click on "Add a new Profile".
Step 4. Insert your payload in the "Name" field, for example,
"><svg/onload=alert()>
Step 5. Click on the "Submit" button.
Step 6. Now, when you go to the "File Picker" page, you should be able to see
the payload getting executed.

This vulnerability affects the CMS Made Simple latest version (2.2.14) and
below.

The vulnerability can be mitigated by properly sanitizing or filtering the user
input the "Name" field while adding a new profile in File Picker.

Thanks,
Binit Ghimire
@WHOISbinit on Twitter


History

Comments
avatar
Date: 2020-05-26 01:55
Posted By: Binit Ghimire (thebinitghimire)

You can find a Proof-of-Concept (PoC) video showing the reproduction steps here:
https://youtu.be/Q6RMhmpScho

Here is a screenshot of the payload getting executed:
https://i.ibb.co/DKJkJFR/CMS-Made-Simple-2-2-14-and-Below.png
      
avatar
Date: 2020-09-05 07:13
Posted By: Ruud van der Velden (ruudvdvelden)

Changed to minor as this functionality is only available to users with high
privileges so they should be trusted anyway.

The vulnerability is valid though and should be fixed. 

Thanks. 
      
avatar
Date: 2020-09-05 07:17
Posted By: Binit Ghimire (thebinitghimire)

Hello there,

Yes, the functionality is only available for users with higher privileges.

Good to hear the vulnerability is valid as per the team!

I am looking forward to seeing this issue being resolved in the next version of
the CMS Made Simple platform.

Thanks,
Binit Ghimire
      
avatar
Date: 2020-09-07 15:25
Posted By: Ruud van der Velden (ruudvdvelden)

Fixed in SVN by escaping values in template (2.2.15)
      
avatar
Date: 2020-11-03 14:24
Posted By: Rolf (rolf1)

CMSMS 2.2.15 has been released
      
Updates

Updated: 2020-11-03 14:24
state: Open => Closed

Updated: 2020-09-07 15:25
resolution_id: 5 => 7
assigned_to_id: 12532 => 18365

Updated: 2020-09-05 07:13
severity_id: 2 => 3

Updated: 2020-05-26 01:55
resolution_id: => 5