| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOK5wbCvYZZA+-vDPUo0EmZzzMRRz4k=Srx=BaExuuR24myNig@mail.gmail.com> Date: Wed, 22 May 2019 11:54:21 +0200 From: Manuel Garcia Cardenas <advidsec@...il.com> To: fulldisclosure@...lists.org, dm@...urityfocus.com, submit@...sec.com Subject: [FD] CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting ============================================= MGC ALERT 2019-002 - Original release date: April 10, 2019 - Last revised: May 22, 2019 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) - CVE-ID: CVE-2019-11226 ============================================= I. VULNERABILITY ------------------------- CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting II. BACKGROUND ------------------------- CMS Made Simple (CMSMS) is a free, open source (GPL) content management system (CMS) to provide developers, programmers and site owners a web-based development and administration area. III. DESCRIPTION ------------------------- Has been detected a Persistent XSS vulnerability in CMS Made Simple, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT ------------------------- Go to: Content -> Content Manager -> News -> Add Article And post in the m1_title parameter for example test"><script>alert(1)</script> The variable "m1_title" it is not sanitized, later, if some user visit the content in the public area, the XSS is executed, in the response you can view: <input type="text" id="fld1" name="m1_title" value="test"><script>alert(1)</script> V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or Javascript code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- CMS Made Simple <= 2.2.10 VII. SOLUTION ------------------------- Disable until a fix is available, vendor doesn't accept XSS issues inside admin panel. VIII. REFERENCES ------------------------- https://www.cmsmadesimple.org/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY ------------------------- April 10, 2019 1: Initial release May 22, 2019 2: Last revision XI. DISCLOSURE TIMELINE ------------------------- April 10, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas April 10, 2019 2: Send to vendor April 22, 2019 3: New request, vendor doesn't accept XSS issues inside admin panel. May 22, 2019 4: Sent to lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists