OpenSolution QuickCMS and QuickCMS.Ext Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in OpenSolution QuickCMS version 6.8. The issue arises in the page editor functionality, where an attacker with admin privileges can inject arbitrary HTML and JavaScript into the website. This injected content is executed when the edited page is viewed. Regular admin users cannot inject JavaScript into the pages. Additionally, QuickCMS.Ext version 6.8 is vulnerable to reflected cross-site scripting in the thumbnail viewer functionality, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious URL.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page. In QuickCMS.Ext, the impact is reflected cross-site scripting, executing injected scripts immediately when the malicious URL is accessed.