Skip to content

CMSmadesimple 2.2.18 is affected by File Upload - XSS vulnerability that allows attackers to upload a PDF file with a hidden XSS that when executed will launch the XSS pop-up

Notifications You must be signed in to change notification settings

sromanhu/CVE-2023-43872-CMSmadesimple-Arbitrary-File-Upload--XSS---File-Manager

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

CMSmadesimple File Upload - XSS v2.2.18

Author: (Sergio)

Description: File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden XSS.

Attack Vectors: A vulnerability in File Manager file upload sanitation allows you to upload a PDF file with hidden XSS.


POC:

When logging into the panel, we will go to the "Content- File Manager." section off General Menu.

XSS pdf file upload

We upload the PDF file with the hidden XSS and we see that we can execute it and the Reflected XSS appears.

XSS pdf file upload resultado


Additional Information:

http://www.cmsmadesimple.org/

https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html

About

CMSmadesimple 2.2.18 is affected by File Upload - XSS vulnerability that allows attackers to upload a PDF file with a hidden XSS that when executed will launch the XSS pop-up

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published