Qool CMS Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in Qool CMS version 2.0 RC2. This vulnerability arises from several administrative scripts that do not properly sanitize POST parameters before storing and returning them to users. Attackers can exploit this flaw by injecting malicious JavaScript into various fields, such as 'title', 'name', 'email', 'username', 'link', and 'task', across multiple endpoints including 'addnewtype', 'addnewdatafield', 'addmenu', 'addusergroup', 'addnewuserfield', 'adduser', 'addgeneraldata', and 'addcontentitem'. The injected scripts are then executed in the context of the administrator's browser session.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the affected user's session, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, log into the Qool CMS admin panel and navigate to any of the vulnerable endpoints. Use a POST request to submit a form that includes one of the targeted parameters, such as 'title' or 'email', with an injected script payload, such as a JavaScript alert. Once the form is submitted, the injected script will execute in the browser.