Software Engineering Institute

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-0334

The files:
cmsmadesimple/admin/addgroup.php on line 107 contains a post-authentication reflected XSS vulnerability in the group parameter.
cmsmadesimple/admin/addhtmlblob.php on line 165 contains a post-authentication reflected XSS vulnerability in the htmlblob parameter.
cmsmadesimple/admin/addbookmark.php on lines 92 and 96 contains a post-authentication reflected XSS vulnerability in the title and url parameters.
cmsmadesimple/admin/copystylesheet.php on line 117 contains a post-authentication reflected XSS vulnerability in the stylesheet_name parameter.
cmsmadesimple/admin/copytemplate.php on line 160 contains a post-authentication reflected XSS vulnerability in the template_name parameter.
cmsmadesimple/admin/editbookmark.php on lines 117 and 121 contains a post-authentication reflected XSS vulnerability in the title and url parameters.
cmsmadesimple/admin/listtemplates.php on line 188 contains a post-authentication persistent XSS vulnerability in the template parameter.
cmsmadesimple/admin/listcss.php on line 172 contains a post-authentication persistent XSS vulnerability in the css_name parameter.

A remote attacker that is able to trick a logged in administrative user in to visiting a specially crafted URL may be able to conduct a cross-site scripting attack. This attack may result in information leakage, privilege escalation, and/or denial of service.

We are currently unaware of a practical solution to this problem.