Lucene search
Copyright (C) 2021 Greenbone AGOPENVAS:1361412562310118144HistoryAug 06, 2021 - 12:00 a.m.
CMS Made Simple 2.2.14 XSS Vulnerability (Jul 2021)
2021-08-0600:00:00
Copyright (C) 2021 Greenbone AG
plugins.openvas.org
4
CMS Made Simple is prone to a cross-site scripting (XSS)
vulnerability.
# SPDX-FileCopyrightText: 2021 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.118144");
script_version("2023-05-12T10:50:26+0000");
script_tag(name:"last_modification", value:"2023-05-12 10:50:26 +0000 (Fri, 12 May 2023)");
script_tag(name:"creation_date", value:"2021-08-06 16:22:04 +0200 (Fri, 06 Aug 2021)");
script_tag(name:"cvss_base", value:"3.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:S/C:N/I:P/A:N");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2021-07-30 15:08:00 +0000 (Fri, 30 Jul 2021)");
script_tag(name:"qod_type", value:"remote_banner");
script_tag(name:"solution_type", value:"WillNotFix");
script_cve_id("CVE-2020-23240");
script_name("CMS Made Simple 2.2.14 XSS Vulnerability (Jul 2021)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2021 Greenbone AG");
script_family("Web application abuses");
script_dependencies("gb_cms_made_simple_http_detect.nasl");
script_mandatory_keys("cmsmadesimple/detected");
script_tag(name:"summary", value:"CMS Made Simple is prone to a cross-site scripting (XSS)
vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"An authenticated malicious user can take advantage of a stored XSS
vulnerability on on 'Logic' via 'Content Manager'.
Vendor statement: 'The Logic field is meant to put code in and it is only accessible for approved
administrators'.");
script_tag(name:"impact", value:"Successful exploitation would allow an authenticated attacker to
transmit private data, like cookies or other session information, redirecting the victim to web
content controlled by the attacker, or performing other malicious operations on the user's machine
under the guise of the vulnerable site.");
script_tag(name:"affected", value:"CMS Made Simple prior to version 2.2.15.");
script_tag(name:"solution", value:"No solution was made available by the vendor.
Note: The vendor states: 'The Logic field is meant to put code in and it is only accessible
for approved administrators. If you don't trust your admins, don't give them access to
(this field in) the admin panel.'");
script_xref(name:"URL", value:"http://dev.cmsmadesimple.org/bug/view/12321");
exit(0);
}
CPE = "cpe:/a:cmsmadesimple:cms_made_simple";
include( "host_details.inc" );
include( "version_func.inc" );
if( ! port = get_app_port( cpe: CPE ) )
exit( 0 );
if( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )
exit( 0 );
version = infos["version"];
location = infos["location"];
if( version_is_equal( version: version, test_version: "2.2.14" ) ) {
report = report_fixed_ver( installed_version: version, fixed_version: "None", install_path: location );
security_message( data: report, port: port );
exit( 0 );
}
exit( 0 );
References
Related
prion
prion
Cross site scripting
2021-07-26 21:15:00
cvelist
cvelist
CVE-2020-23240
2021-07-26 20:06:58
cnvd
cnvd
CMS Made Simple Cross-Site Scripting Vulnerability (CNVD-2021-57425)
2021-07-27 00:00:00
cve
cve
CVE-2020-23240
2021-07-26 21:15:00
gentoo
gentoo
sudo: Multiple vulnerabilities
2021-01-26 00:00:00
5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.8%
Related for OPENVAS:1361412562310118144