CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12651] Stored Cross Site Scripting in CMS Made Simple - Admin Console

avatar
Created By: Sahil Ojha (sahilojha)
Date Submitted: Wed Oct 04 12:45:34 -0400 2023

Assigned To: CMS Made Simple Foundation (cmsmsfoundation)
Version: 2.2.18
CMSMS Version: 2.2.18
Severity: Major
Resolution: None
State: Open
Summary:
Stored Cross Site Scripting in CMS Made Simple - Admin Console
Detailed Description:
1. Login into the Admin Console of CMS made simple.

2. Navigate to My Preference > Manage Shortcuts.

3. Click on Add Shortcuts

4. In the Title parameter, inject the XSS payload:
<script>alert(document.cookie)</script>

5. Submit the form after filling the form. A XSS alert will pop up with user
session cookie.


History

Comments
avatar 
Date: 2023-10-05 23:17
Posted By: Matt Hornsby (DIGI3) (DIGI3)

Please see
https://www.cmsmadesimple.org/community/get-involved/report-a-vulnerability
Updates

Updated: 2023-10-05 23:17
resolution_id: => 5