[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CMS Made Simple 2.2.5[Reflected Cross-Site Scripting]
From: Kyaw Min Thein <weev3 () outlook ! com>
Date: 2018-01-22 4:26:22
Message-ID: SN1PR0501MB21102FDB94D4387595AB3116EEEC0 () SN1PR0501MB2110 ! namprd05 ! prod ! outlook ! com
[Download RAW message or body]
1.OVERVIEW
CMS Made Simple version 2.2.5 is vulnerable to Reflected Cross-Site Scripting.
2. PRODUCT DESCRIPTION
CMS Made Simple is open source CMS for developing website.
3. VULNERABILITY DESCRIPTION
The CMS Made Simple version 2.2.5 in /admin/moduleinterface.php didn't validate correctly in \
m1_errors parameter, so it can be execute as malicious javascript code.
4. VERSIONS AFFECTED
2.2.5 and can below.
5. PROOF-OF-CONCEPT
https://kyawminthein901497298.wordpress.com/2018/01/22/cms-made-simple-2-2-5-reflected-cross-site-scripting/
6. IMPACT
This occurs when web application fails to sanitize correctly, so malicious attacker can execute \
javascript code.
7. SOLUTION
Should some sanitize every user input field.
8. VENDOR
CMS Made Simple version 2.2.5
9. CREDIT
This vulnerability was discovered by Kyaw Min Thein,
https://kyawminthein901497298.wordpress.com/2018/01/22/cms-made-simple-2-2-5-reflected-cross-site-scripting/
10. DISCLOSURE TIME-LINE
1-19-2018 vulnerability reported to vendor
1-21-2018 notified vendor and vendor said they will not give features for using admin \
permission 1-22-2018 assigned as CVE-2018-5965 by mitre
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic