CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12312] Stored XSS vulnerability in File Picker at CMSMS 2.2.14 and below

avatar
Created By: Binit Ghimire (thebinitghimire)
Date Submitted: Tue May 26 01:39:07 -0400 2020

Assigned To: Fernando Morgado (JoMorg)
Version: 2.2.14
CMSMS Version: 2.2.14
Severity: Major
Resolution: None
State: Open
Summary:
Stored XSS vulnerability in File Picker at CMSMS 2.2.14 and below
Detailed Description:
Hello there,

Recently, I discovered a Stored XSS vulnerability in the File Picker area under
Extensions in CMS Made Simple Admin Console. I discovered this vulnerability
while testing for vulnerabilities in version 2.2.14 of the CMSMS platform.

Reproduction Steps:
Step 1. Login to the Admin Console.
Step 2. Click on "Extensions" and click on "File Picker".
Step 3. Click on "Add a new Profile".
Step 4. Insert your payload in the "Name" field, for example,
"><svg/onload=alert()>
Step 5. Click on the "Submit" button.
Step 6. Now, when you go to the "File Picker" page, you should be able to see
the payload getting executed.

This vulnerability affects the CMS Made Simple latest version (2.2.14) and
below.

The vulnerability can be mitigated by properly sanitizing or filtering the user
input the "Name" field while adding a new profile in File Picker.

Thanks,
Binit Ghimire
@WHOISbinit on Twitter


History

Comments
avatar
Date: 2020-05-26 01:55
Posted By: Binit Ghimire (thebinitghimire)

You can find a Proof-of-Concept (PoC) video showing the reproduction steps here:
https://youtu.be/Q6RMhmpScho

Here is a screenshot of the payload getting executed:
https://i.ibb.co/DKJkJFR/CMS-Made-Simple-2-2-14-and-Below.png
      
Updates

Updated: 2020-05-26 01:55
resolution_id: => 5