Getsimple CMS 3.3.1 - Persistent Cross-Site Scripting

EDB-ID:

32502

CVE:

N/A




Platform:

PHP

Date:

2014-03-25


# Exploit Title: etSimple CMS v3.3.1 Persistent Cross Site Scripting

# Google Dork: N/A

# Date: 24-03-2014

# Exploit Author: Jeroen - IT Nerdbox

# Vendor Homepage: http://get-simple.info/

# Software Link: http://get-simple.info/download/

# Version: v3.3.1

# Tested on: N/A

# CVE : N/A

#

## Description:

#

# In the administrative interface, the users can change their personal
settings. The parameters "name" and 

# "permalink"  do not properly sanitize its input and allows malicious code
to be stored in the XML file.

#

## PoC:

# Admin"><script>alert("1");</script>

# http://url/admin/settings.php

#

#

# The following parameters are vulnerable:

#

# 1. Permalink

# 2. Name

#

#

# More information can be found at:
http://www.nerdbox.it/getsimple-cms-v3-3-1-vulnerabilities/