CMS Made Simple 1.10.3 Cross Site Scripting

`+---------------------------------------------------------------------------------------------------------------------------------+  
# Exploit Title : CMS Made Simple <= 1.10.3 XSS Vulnerability  
# Date : 02-04-2012  
# Author : Ivano Binetti (http://ivanobinetti.com)  
# Vendor site : http://www.cmsmadesimple.org/  
# Software link : http://s3.amazonaws.com/cmsms/downloads/8886/cmsmadesimple-1.10.3-full.tar.gz  
# Version : 1.10.3 and lower   
# Tested on : Debian Squeeze (6.0)   
# Original Advisory : http://www.webapp-security.com/2012/04/cms-made-simple/  
# CVE : CVE-2012-1992  
+---------------------------------------------------------------------------------------------------------------------------------+  
Summary  
1)Introduction  
2)Description  
3)Exploit  
+---------------------------------------------------------------------------------------------------------------------------------+  
1)Introduction  
CMS Made Simple is "an open source content management system, allows for faster and easier management of website content. This CMS  
is scalable for small businesses to large corporations".  
  
2)Description  
CMS Made Simple 1.10.3 (and lower) is prone to a XSS vulnerability due to an improper input sanitization of "email" parameter,   
passed to server side script "admin/edituser.php" via http POST method.   
  
3)Exploit   
Insert the following code in "Email Address" field within "Edit User" template:  
<script>alert(document.cookie)</script>  
+---------------------------------------------------------------------------------------------------------------------------------+  
`