oss-sec mailing list archives
CVE Request: GetSimple CMS: Multiple Stored XSS
From: Anirudh Anand <anirudhanand722 () gmail com>
Date: Fri, 3 Jul 2015 13:27:27 +0530
Hello, GetSimple <http://get-simple.info/> is a stand-a-alone, fully independent and lite Content Management System. Recently I found that Getsimple CMS is vulnerable to Stored Cross site scripting attack. *POC:* While creating a new page, give the page title as *new"onmouseover="alert(1)";* and in the content, give *<svg onload="alert(10)">*. Now save it and then go to *pages.php* and then hover the mouse over the cross mark (which is used to delete the post). You can see that XSS is triggered. Now, go to *backups.php* and hover the mouse over it and again you can see the XSS triggered. Now open the backup and you can see that *<svg>* is triggered there. But since there is regex checking in the main pages, the *<svg>* won't get triggered in the main page. Any normal user has the ability to add new pages and each time when a post is saved, it gets automatically saved into *backups.php* *Date of reporting:* 3rd July, 2015 *Exploit Author:* Anirudh Anand *Vendor Homepage*: http://get-simple.info/ *Software Link:* http://get-simple.info/download/ *Version affected: *Possibly all version <= 3.3.5 *Tested on:* Linux:- Ubuntu, Debian, PHP - 5.5 The issue has been reported to the vendor: https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1067 Is it possible to assign CVE identifier for the same ? Thank you, -- Anirudh Anand bi0s@AMRITA www.securethelock.com *"Those who Say it cannot be done, should not interrupt the people doing it"*
Current thread:
- CVE Request: GetSimple CMS: Multiple Stored XSS Anirudh Anand (Jul 03)