Software link: CMSimple 5.15 [https://www.cmsimple.org/en/?Downloads___CMSimple]
@author: Antonio Díaz.
Description: Cross-site scripting (XSS) vulnerability in the Language section of the Settings menu of CMSimple 5.15 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into multiple parameters.
CVE: CVE-2024-32344, CVE-2024-32345, CVE-2024-33423 y CVE-2024-33424.
- Enter to Language section of the Settings menu:
- Set the payload in 'Edit' parameter of the Action section:
- Click on the Save button:
- Result:
- Enter to Language section of the Settings menu:
- Set the payload in 'Configuration' parameter of the Adminmenu section:
- Click on the Save button:
- Result:
- Enter to Language section of the Settings menu:
- Set the payload in 'Downloads' parameter of the Adminmenu section:
- Click on the Save button:
- Result:
- Enter to Language section of the Settings menu:
- Set the payload in 'Logout' parameter of the Adminmenu section:
- Click on the Save button:
- Result:
More parameters in the Settings section are vulnerable to XSS attacks.