exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CMS Made Simple 2.2.5 Persistent Cross Site Scripting

CMS Made Simple 2.2.5 Persistent Cross Site Scripting
Posted Jan 24, 2018
Authored by Kyaw Min Thein

CMS Made Simple version 2.2.5 suffers from a persistent cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2018-5963
SHA-256 | 48015b3e10000429dc080fa3869edc8023e0b99b27310b904d0c39191aceb172
Download | Favorite | View

CMS Made Simple 2.2.5 Persistent Cross Site Scripting

Change Mirror Download
1.OVERVIEW

CMS Made Simple version 2.2.5 is vulnerable to Stored Cross-Site Scripting.

2. PRODUCT DESCRIPTION

CMS Made Simple is open source CMS for developing website.

3. VULNERABILITY DESCRIPTION

The CMS Made Simple version 2.2.5 in admin/addbookmark.php didn't validate correctly in title parameter, so it can be execute as malicious javascript code.

4. VERSIONS AFFECTED

2.2.5 and can below.

5. PROOF-OF-CONCEPT

https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/
[https://kyawminthein901497298.files.wordpress.com/2018/01/stored-xss.png]<https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/>

CMS 2.2.5 Stored Cross-Site Scripting<https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/>
CVE-2018-5963 CMS Made Simple (CMSMS) 2.2.5 has Stored XSS in admin/addbookmark.php via the title parameter. After this request, website will pop-up The Add Shortcut title  field is not properly sa
kyawminthein901497298.wordpress.com



6. IMPACT

This occurs when web application fails to sanitize correctly, so malicious attacker can execute javascript code.

7. SOLUTION

Should some sanitize every user input field.

8. VENDOR

CMS Made Simple version 2.2.5

9. CREDIT

This vulnerability was discovered by Kyaw Min Thein,
https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/
[https://kyawminthein901497298.files.wordpress.com/2018/01/stored-xss.png]<https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/>

CMS 2.2.5 Stored Cross-Site Scripting<https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/>
CVE-2018-5963 CMS Made Simple (CMSMS) 2.2.5 has Stored XSS in admin/addbookmark.php via the title parameter. After this request, website will pop-up The Add Shortcut title  field is not properly sa
kyawminthein901497298.wordpress.com



10. DISCLOSURE TIME-LINE

1-19-2018 vulnerability reported to vendor
1-21-2018 notified vendor and vendor said they will not give features for using admin permission
1-22-2018 assigned as CVE-2018-5963 by mitre


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    13 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    27 Files
  • 30
    Jul 30th
    49 Files
  • 31
    Jul 31st
    29 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close