CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12317] XSS on Settings News Module

avatar
Created By: rahul gautam (G@merited)
Date Submitted: Fri May 29 08:18:14 -0400 2020

Assigned To: Ruud van der Velden (ruudvdvelden)
Version: 2.2.14
CMSMS Version: 2.2.14
Severity: Minor
Resolution: Fixed
State: Closed
Summary:
XSS on Settings News Module
Detailed Description:
hello,

I discovered an XSS on Settings News Module

steps to reproduce,
1)  Go to field Definitions
2) click on add Field Definition
3) Inject xss payload <script>alert(1)</script> for example
4) add
XSS fires

Preventive measure:
Encode html elements of tags


History

Comments
avatar
Date: 2020-09-18 10:00
Posted By: Ruud van der Velden (ruudvdvelden)

Quicly fixed in svn.
Better fixes are planned for a bigger update.
Thanks for reporting
      
avatar
Date: 2020-09-19 10:24
Posted By: rahul gautam (G@merited)

Thanks for your respnse :) no problem :)
      
avatar
Date: 2020-11-03 14:22
Posted By: Rolf (rolf1)

CMSMS 2.2.15 has been released
      
Updates

Updated: 2020-11-03 14:22
state: Open => Closed

Updated: 2020-09-18 10:00
resolution_id: => 7
assigned_to_id: 12532 => 18365