This article is a part of our Vulnerability Database (back to index)
Cross-site Scripting occurrences in Getsimple Cms
A vulnerability, which was classified as problematic, has been found in GetSimple CMS. Affected by this issue is the file /admin/edit.php of the Content Module. The manipulation of the argument post-content with an input like leads to cross site scripting. The attack may be launched remotely but requires authentication. Expoit details have been disclosed within the advisory. (2022-04-27, CVE-2022-1503)
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page (2020-10-01, CVE-2020-24861)
A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials, and submits the login form. (2020-09-01, CVE-2020-23839)
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php. (2019-09-15, CVE-2019-16333)
There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325. (2018-12-31, CVE-2018-19845)
An issue was discovered in GetSimple CMS 3.3.15. An administrator can insert stored XSS via the admin/settings.php Custom Permalink Structure parameter, which injects the XSS payload into any page created at the admin/pages.php URI. (2018-10-01, CVE-2018-17835)
There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field. (2018-09-01, CVE-2018-16325)
GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field. (2018-08-25, CVE-2018-15843)
Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter. (2018-04-02, CVE-2018-9173)
Why Cross-site Scripting can be dangerous
Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.
The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:
https://server.com/confirmation?message=Transaction+Complete
what results in:
<span>Confirmation: Transaction Complete</span>
In that case the message can be modified to become a valid Javascript code, e.g.:
https://server.com/confirmation?message=<script>dangerous javascript code here</script>
and it will be executed locally by the user's browser with full access to the user's personal application/browser data:
<span>Confirmation: <script>dangerous javascript code here</script></span>