CVE-2023-43872: GitHub - sromanhu/CMSmadesimple-File-Upload--XSS---File-Manager: CMSmadesimple 2.2.18 is affected by File Upload - XSS vulnerability that allows attackers to upload a PDF file with a hidden XSS that w

CMSmadesimple File Upload - XSS v2.2.18****Author: (Sergio)

Description: File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden XSS.

Attack Vectors: A vulnerability in File Manager file upload sanitation allows you to upload a PDF file with hidden XSS.

POC:

When logging into the panel, we will go to the “Content- File Manager.” section off General Menu.

We upload the PDF file with the hidden XSS and we see that we can execute it and the Reflected XSS appears.

Additional Information:

http://www.cmsmadesimple.org/

https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html