exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CMS Made Simple 2.2.5 Persistent Cross Site Scripting

CMS Made Simple 2.2.5 Persistent Cross Site Scripting
Posted Jan 24, 2018
Authored by Kyaw Min Thein

CMS Made Simple version 2.2.5 suffers from a persistent cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2018-5963
SHA-256 | 48015b3e10000429dc080fa3869edc8023e0b99b27310b904d0c39191aceb172
Download | Favorite | View

CMS Made Simple 2.2.5 Persistent Cross Site Scripting

Change Mirror Download
1.OVERVIEW

CMS Made Simple version 2.2.5 is vulnerable to Stored Cross-Site Scripting.

2. PRODUCT DESCRIPTION

CMS Made Simple is open source CMS for developing website.

3. VULNERABILITY DESCRIPTION

The CMS Made Simple version 2.2.5 in admin/addbookmark.php didn't validate correctly in title parameter, so it can be execute as malicious javascript code.

4. VERSIONS AFFECTED

2.2.5 and can below.

5. PROOF-OF-CONCEPT

https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/
[https://kyawminthein901497298.files.wordpress.com/2018/01/stored-xss.png]<https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/>

CMS 2.2.5 Stored Cross-Site Scripting<https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/>
CVE-2018-5963 CMS Made Simple (CMSMS) 2.2.5 has Stored XSS in admin/addbookmark.php via the title parameter. After this request, website will pop-up The Add Shortcut title  field is not properly sa
kyawminthein901497298.wordpress.com



6. IMPACT

This occurs when web application fails to sanitize correctly, so malicious attacker can execute javascript code.

7. SOLUTION

Should some sanitize every user input field.

8. VENDOR

CMS Made Simple version 2.2.5

9. CREDIT

This vulnerability was discovered by Kyaw Min Thein,
https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/
[https://kyawminthein901497298.files.wordpress.com/2018/01/stored-xss.png]<https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/>

CMS 2.2.5 Stored Cross-Site Scripting<https://kyawminthein901497298.wordpress.com/2018/01/22/the-journey-begins/>
CVE-2018-5963 CMS Made Simple (CMSMS) 2.2.5 has Stored XSS in admin/addbookmark.php via the title parameter. After this request, website will pop-up The Add Shortcut title  field is not properly sa
kyawminthein901497298.wordpress.com



10. DISCLOSURE TIME-LINE

1-19-2018 vulnerability reported to vendor
1-21-2018 notified vendor and vendor said they will not give features for using admin permission
1-22-2018 assigned as CVE-2018-5963 by mitre


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close