CMSimple 4.6.2 Cross Site Scripting
Posted on 01 June 2016
============================================= MGC ALERT 2016-004 - Original release date: May 28, 2016 - Last revised: June 1, 2016 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Reflected XSS in CMSimple <= v4.6.2 II. BACKGROUND ------------------------- CMSimple is a php based Content Managemant System (CMS) , which requires no database. All data are stored in a simple file system. III. DESCRIPTION ------------------------- Has been detected a reflected XSS vulnerability in Admin Panel of CMSimple, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the parameter "subdir" in the page "userfiles". IV. PROOF OF CONCEPT ------------------------- Malicious Request: /cmsimple/?userfiles&subdir=userfiles/<XSS injection> Example: /cmsimple/?userfiles&subdir=userfiles/<script>alert(1)</script> V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- CMSimple <= v4.6.2 VII. SOLUTION ------------------------- Update to version 4.6.3 VIII. REFERENCES ------------------------- http://www.cmsimple.org/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY ------------------------- May 28, 2016 1: Initial release June 1, 2016 2: Last revision XI. DISCLOSURE TIMELINE ------------------------- May 28, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas May 28, 2016 2: Send to vendor May 30, 2016 3: New version that includes patched code http://cmsimple.org/downloadcounter/dlcount/count.php?id=31 June 1, 2016 4: Sent to lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester
