CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12313] 5 Stored XSS vulnerabilities in "Settings - Content Manager" under "Site Admin" in CMSMS Admin Console

avatar
Created By: Binit Ghimire (thebinitghimire)
Date Submitted: Tue May 26 08:22:00 -0400 2020

Assigned To: Ruud van der Velden (ruudvdvelden)
Version: 2.2.14
CMSMS Version: 2.2.14
Severity: Minor
Resolution: Fixed
State: Closed
Summary:
5 Stored XSS vulnerabilities in "Settings - Content Manager" under "Site Admin" in CMSMS Admin Console
Detailed Description:
Hello there,

I just discovered multiple Stored XSS vulnerabilities in CMSMS Admin Console
which lie in the "Settings - Content Manager" page under "Site Admin" option in
the sidebar menu.

Reproduction Steps:
Step 1. Login to the Admin Console.
Step 2. Click on Site Admin and then click on "Settings - Content Manager", and
then go to the "New Page Defaults" tab.
Step 3. Insert the following payload in the two "textarea" elements; "Metadata"
and "Default Content":
</textarea><svg/onload=alert(document.domain)>
Step 4. Insert the following payload in the three "input type='text'" elements;
"Extra1 Field value", "Extra2 Field value" and "Extra3 Field Value":
"><svg/onload=alert(document.cookie)>
Step 5. Now, click on the "Submit" button.

You should now be able to see 5 alert prompts appearing one by one, as a result
of the 5 payloads being executed.

I am looking forward to seeing these vulnerabilities getting patched soon in the
next release of CMS Made Simple.

This vulnerability is reproducible in the latest version; 2.2.14 and below.

It can be patched by properly implementing sanitization and filtering related
functions in PHP for the form values in the page.

Thanks,
Binit Ghimire


History

Comments
avatar 
Date: 2020-05-26 08:58
Posted By: Binit Ghimire (thebinitghimire)

Here is a video that acts as a Proof-of-Concept (PoC) for these vulnerabilities:
https://youtu.be/L1f91mlyHEY
avatar 
Date: 2020-09-18 10:08
Posted By: Ruud van der Velden (ruudvdvelden)

Fixed in svn
Thanks for reporting
avatar 
Date: 2020-11-03 14:23
Posted By: Rolf (rolf1)

CMSMS 2.2.15 has been released
Updates

Updated: 2020-11-03 14:23
state: Open => Closed

Updated: 2020-09-18 10:08
resolution_id: 5 => 7
severity_id: 2 => 3
assigned_to_id: 17008 => 18365

Updated: 2020-05-26 08:29
description: Hello there, I just discovered multiple Stored XSS vulnerabilities in CMSMS Admin Console which lie in the "Settings - Content Manager" page under "Site Admin" option in the sidebar menu. Reproduction Steps: Step 1. Login to the Admin Console. Ste => Hello there, I just discovered multiple Stored XSS vulnerabilities in CMSMS Admin Console which lie in the "Settings - Content Manager" page under "Site Admin" option in the sidebar menu. Reproduction Steps: Step 1. Login to the Admin Console. Ste
resolution_id: => 5