Simple CMS Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in Simple CMS version 2.1. This vulnerability allows remote attackers to inject malicious scripts into user input parameters, which are then executed when the user list is previewed. The issue arises in the 'newUser' and 'editUser' modules, potentially leading to session hijacking and unauthorized manipulation of the application.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user viewing the list, potentially leading to session hijacking and manipulation of the application.

Reproduction

To reproduce this vulnerability, log into the admin panel of Simple CMS 2.1 with a privileged account. Navigate to the 'Users' section and use the 'newUser' or 'editUser' modules to create or modify a user. Inject a script payload into the 'name', 'username', and 'password' fields. Once the user is saved, the injected script will execute when the user list is previewed.