Description: Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles in the Extensions - MicroTiny WYSIWYG editor.
Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Profiles of "MicroTiny WYSIWYG editor" allows injecting JavaScript code that will be executed when the user accesses the web page.
When logging into the panel, we will go to the "Extensions- MicroTiny WYSIWYG editor." section off General Menu.
We edit that MicroTiny WYSIWYG edito Menu with the payload that we have created and see that we can inject arbitrary Javascript code in the Profile field.
""><svg/onload=alert('Profile')>In the following image you can see the embedded code that executes the payload in the main web.
