CMS Made Simple 2.2.5 moduleinterface.php m1_errors Cross Site Scripting

2018.01.24
Risk: Low
Local: No
Remote: No
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

1.OVERVIEW CMS Made Simple version 2.2.5 is vulnerable to Reflected Cross-Site Scripting. 2. PRODUCT DESCRIPTION CMS Made Simple is open source CMS for developing website. 3. VULNERABILITY DESCRIPTION The CMS Made Simple version 2.2.5 in /admin/moduleinterface.php didn't validate correctly in m1_errors parameter, so it can be execute as malicious javascript code. 4. VERSIONS AFFECTED 2.2.5 and can below. 5. PROOF-OF-CONCEPT https://kyawminthein901497298.wordpress.com/2018/01/22/cms-made-simple-2-2-5-reflected-cross-site-scripting/ 6. IMPACT This occurs when web application fails to sanitize correctly, so malicious attacker can execute javascript code. 7. SOLUTION Should some sanitize every user input field. 8. VENDOR CMS Made Simple version 2.2.5 9. CREDIT This vulnerability was discovered by Kyaw Min Thein, https://kyawminthein901497298.wordpress.com/2018/01/22/cms-made-simple-2-2-5-reflected-cross-site-scripting/ 10. DISCLOSURE TIME-LINE 1-19-2018 vulnerability reported to vendor 1-21-2018 notified vendor and vendor said they will not give features for using admin permission 1-22-2018 assigned as CVE-2018-5965 by mitre

References:

https://kyawminthein901497298.wordpress.com/2018/01/22/cms-made-simple-2-2-5-reflected-cross-site-scripting/


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top