Vulnerability-Lookup

CNVD-2020-57873

Vulnerability from cnvd - Published: 2020-10-22

Title

CMS Made Simple跨站脚本漏洞（CNVD-2020-57873）

Description

CMS Made Simple（CMSMS）是CMSMS团队的一套开源的内容管理系统(CMS)。该系统支持基于角色的权限管理系统、基于向导的安装与更新机制、智能缓存机制等。 CMS Made Simple 2.2.14版本存在跨站脚本漏洞，该漏洞源于允许访问内容管理器的经过身份验证的用户编辑内容，并在受影响的文本字段中放置持久的XSS有效负载。攻击者可利用该漏洞从访问该网站的每个经过身份验证的用户那里获得cookie。

Severity

低

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法：

https://www.cmsmadesimple.org/

Reference

https://packetstormsecurity.com/files/159434/CMS-Made-Simple-2.2.14-Cross-Site-Scripting.html; http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24860

Impacted products

Name
Cms made simple CMS Made Simple 2.2.14

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-24860",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-24860"
    }
  },
  "description": "CMS Made Simple\uff08CMSMS\uff09\u662fCMSMS\u56e2\u961f\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf(CMS)\u3002\u8be5\u7cfb\u7edf\u652f\u6301\u57fa\u4e8e\u89d2\u8272\u7684\u6743\u9650\u7ba1\u7406\u7cfb\u7edf\u3001\u57fa\u4e8e\u5411\u5bfc\u7684\u5b89\u88c5\u4e0e\u66f4\u65b0\u673a\u5236\u3001\u667a\u80fd\u7f13\u5b58\u673a\u5236\u7b49\u3002\n\nCMS Made Simple 2.2.14\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5141\u8bb8\u8bbf\u95ee\u5185\u5bb9\u7ba1\u7406\u5668\u7684\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u7f16\u8f91\u5185\u5bb9\uff0c\u5e76\u5728\u53d7\u5f71\u54cd\u7684\u6587\u672c\u5b57\u6bb5\u4e2d\u653e\u7f6e\u6301\u4e45\u7684XSS\u6709\u6548\u8d1f\u8f7d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ece\u8bbf\u95ee\u8be5\u7f51\u7ad9\u7684\u6bcf\u4e2a\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u90a3\u91cc\u83b7\u5f97cookie\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\n\r\nhttps://www.cmsmadesimple.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-57873",
  "openTime": "2020-10-22",
  "products": {
    "product": "Cms made simple CMS Made Simple 2.2.14"
  },
  "referenceLink": "https://packetstormsecurity.com/files/159434/CMS-Made-Simple-2.2.14-Cross-Site-Scripting.html; http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24860",
  "serverity": "\u4f4e",
  "submitTime": "2020-10-13",
  "title": "CMS Made Simple\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-57873\uff09"
}

CVE-2020-24860 (GCVE-0-2020-24860)

Vulnerability from cvelistv5 – Published: 2020-10-01 13:55 – Updated: 2024-08-04 15:19

Summary

CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.cmsmadesimple.org	x_refsource_MISC
	https://www.exploit-db.com/exploits/48851	x_refsource_MISC
	https://www.youtube.com/watch?v=M6D7DmmjLak&t=22s	x_refsource_MISC
	http://packetstormsecurity.com/files/159434/CMS-M…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:19:09.387Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.cmsmadesimple.org"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/48851"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.youtube.com/watch?v=M6D7DmmjLak\u0026t=22s"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/159434/CMS-Made-Simple-2.2.14-Cross-Site-Scripting.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-01T16:06:37.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.cmsmadesimple.org"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.exploit-db.com/exploits/48851"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.youtube.com/watch?v=M6D7DmmjLak\u0026t=22s"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/159434/CMS-Made-Simple-2.2.14-Cross-Site-Scripting.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-24860",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cmsmadesimple.org",
              "refsource": "MISC",
              "url": "https://www.cmsmadesimple.org"
            },
            {
              "name": "https://www.exploit-db.com/exploits/48851",
              "refsource": "MISC",
              "url": "https://www.exploit-db.com/exploits/48851"
            },
            {
              "name": "https://www.youtube.com/watch?v=M6D7DmmjLak\u0026t=22s",
              "refsource": "MISC",
              "url": "https://www.youtube.com/watch?v=M6D7DmmjLak\u0026t=22s"
            },
            {
              "name": "http://packetstormsecurity.com/files/159434/CMS-Made-Simple-2.2.14-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/159434/CMS-Made-Simple-2.2.14-Cross-Site-Scripting.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-24860",
    "datePublished": "2020-10-01T13:55:24.000Z",
    "dateReserved": "2020-08-28T00:00:00.000Z",
    "dateUpdated": "2024-08-04T15:19:09.387Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-57873

CVE-2020-24860 (GCVE-0-2020-24860)

Tags

Sightings

Nomenclature