We found vulnerability of CMS Made Simple

Details about Made Simple CMS

CMS Made Simple (CMSMS) is a free, open source (GPL) content management system (CMS) to provide developers, programmers and site owners a web-based development and administration area. In 2010 it won the Packt Publishing annual award for open source content management. (Source: wikipedia)

It is possible for an authenticated user with admin access to misuse XSS vulnerability in Admin panel and in extensions. The vulnerability exists due to insufficient filtration of user-supplied data. By exploiting this vulnerability, an attacker gains ability to execute own client-side code in context of another user. This can lead to taking actions under other admin user account. Also passwords are stored as salted MD5 hash.

Vulnerabilities

XSS v Admin search

Payload: <script>alert(document.domain)</script>
Description: After insert of payload to input, it is needed to reload webpage to trigger payload

Stored XSS v manage shortcuts

Payload: <script>alert(document.domain)</script>
Parameter: name

Stored XSS v global settings, content editing settings, maintenance mode

Payload: <script>alert(document.domain)</script>

Stored XSS v global settings

Payload: <script>alert(1)</script>
Parameter: global metadata
Description: Also triggers in visitors site

Stored XSS in title of article

Payload: XSS <script>alert(document.domain)</script>
Description: Triggers in admin area and article content triggers also in visitors site. Here is needed to modify request with proxy, because website encodes few characters before sending.

Stored XSS v settings - content manager

Payload: <script>alert(document.domain)</script>

Because developers decided to not fix these vulnerabilities, best advice is to use another - regularly updated CMS, like Wordpress.

These vulnerabilities were discovered by Tomas Volny from Citadelo.