{"vuid":"VU#526062","idnumber":"526062","name":"CMS Made Simple contains multiple cross-site scripting vulnerabilities","keywords":["cms","cms made simple","php","xss"],"overview":"CMS Made Simple contains multiple cross-site scripting vulnerabilities","clean_desc":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-0334 The files: cmsmadesimple/admin/addgroup.php on line 107 contains a post-authentication reflected XSS vulnerability in the group parameter. cmsmadesimple/admin/addhtmlblob.php on line 165  contains a post-authentication reflected XSS vulnerability in the htmlblob parameter. cmsmadesimple/admin/addbookmark.php on lines 92 and 96 contains a post-authentication reflected XSS vulnerability in the title and url parameters. cmsmadesimple/admin/copystylesheet.php on line 117 contains a post-authentication reflected XSS vulnerability in the stylesheet_name parameter. cmsmadesimple/admin/copytemplate.php on line 160  contains a post-authentication reflected XSS vulnerability in the template_name parameter. cmsmadesimple/admin/editbookmark.php on lines 117 and 121 contains a post-authentication reflected XSS vulnerability in the title and url parameters. cmsmadesimple/admin/listtemplates.php on line 188 contains a post-authentication persistent XSS vulnerability in the template parameter. cmsmadesimple/admin/listcss.php on line 172 contains a post-authentication persistent XSS vulnerability in the  css_name parameter.","impact":"A remote attacker that is able to trick a logged in administrative user in to visiting a specially crafted URL may be able to conduct a cross-site scripting attack. This attack may result in information leakage, privilege escalation, and/or denial of service.","resolution":"We are currently unaware of a practical solution to this problem.","workarounds":"","sysaffected":"","thanks":"Thanks to Pedro Ribeiro \nof \nAgile Information Security for re\nporting this vulnerability.","author":"This document was written by Chris King.","public":["h","t","t","p",":","/","/","w","w","w",".","c","m","s","m","a","d","e","s","i","m","p","l","e",".","o","r","g","/"],"cveids":["CVE-2014-0334"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-12-17T14:53:00Z","publicdate":"2014-02-28T00:00:00Z","datefirstpublished":"2014-02-28T15:02:15Z","dateupdated":"2014-02-28T15:02:29Z","revision":21,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"UC","cvss_collateraldamagepotential":"N","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"4.9","cvss_basevector":"AV:N/AC:M/Au:S/C:P/I:P/A:N","cvss_temporalscore":"3.7","cvss_environmentalscore":"0.9436652890875","cvss_environmentalvector":"CDP:N/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}