elprofesor

cybersecurity | notes | findings | tools

2021-10-24

Stored Cross-Site Scripting via m1_name (Authenticated) cmsms

cve

Stored Cross-Site Scripting via m1_name (Authenticated)

CVE-2021-43154

This vulnerability was successfully registered in CVE database.

https://www.cvedetails.com/cve/CVE-2021-43154/

Product Version

Vulnerability is present on the following version: 2.2.15 (CMS made simple) alt text cmsms-2.2.15-install.zip

alt text All checks enabled at install phase.

Proof of Concept

The following image will show a “dashboard” of a user with privileges: alt text Any user who can “Add category” or “Edit category” from “Site Admin” -> “Settings - News module” can trigger a stored cross site scripting vulnerability. alt text An attacker can update the name field to a xss payload such as:

<script>alert("trigger")</script>

alt text Submit Request (payload in m1_name): alt text Submit Response: alt text After following redirection: alt text alt text alt text

Trigger:

  • View content -> news alt text Reflection of payload: alt text

  • View site (all pages) or preview site alt text alt text alt text alt text All pages/articles can trigger this vulnerability

Reflection of payload in response: alt text

We recommend to sanitize all user input from all parameters, especially “m1_name” from admin/moduleinterface.php