[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CMS Made Simple 2.2.5[Reflected Cross-Site Scripting]
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] CMS Made Simple 2.2.5[Reflected Cross-Site Scripting]
- From: Kyaw Min Thein <weev3@xxxxxxxxxxx>
- Date: Mon, 22 Jan 2018 04:26:22 +0000
1.OVERVIEW
CMS Made Simple version 2.2.5 is vulnerable to Reflected Cross-Site Scripting.
2. PRODUCT DESCRIPTION
CMS Made Simple is open source CMS for developing website.
3. VULNERABILITY DESCRIPTION
The CMS Made Simple version 2.2.5 in /admin/moduleinterface.php didn't validate
correctly in m1_errors parameter, so it can be execute as malicious javascript
code.
4. VERSIONS AFFECTED
2.2.5 and can below.
5. PROOF-OF-CONCEPT
https://kyawminthein901497298.wordpress.com/2018/01/22/cms-made-simple-2-2-5-reflected-cross-site-scripting/
6. IMPACT
This occurs when web application fails to sanitize correctly, so malicious
attacker can execute javascript code.
7. SOLUTION
Should some sanitize every user input field.
8. VENDOR
CMS Made Simple version 2.2.5
9. CREDIT
This vulnerability was discovered by Kyaw Min Thein,
https://kyawminthein901497298.wordpress.com/2018/01/22/cms-made-simple-2-2-5-reflected-cross-site-scripting/
10. DISCLOSURE TIME-LINE
1-19-2018 vulnerability reported to vendor
1-21-2018 notified vendor and vendor said they will not give features for using
admin permission
1-22-2018 assigned as CVE-2018-5965 by mitre
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/