CMSimple_XH Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in CMSimple_XH version 1.8. The issue arises in the index.php router, where attacker-controlled path segments are not properly sanitized or encoded before being inserted into the generated HTML. This lack of sanitation allows for the execution of arbitrary JavaScript in the browsers of victims who visit a crafted URL. The vulnerability affects various HTML elements, including navigation links, breadcrumbs, search form actions, and footer links.

Impact

Exploitation of this vulnerability allows for client-side code execution, where injected JavaScript is executed in the context of the victim's browser. This could lead to information disclosure by reading the DOM and exfiltrating client-accessible cookies or tokens. If session tokens are accessible to JavaScript and not marked as HttpOnly, it could result in session hijacking. Additionally, the vulnerability could be used for UI spoofing or phishing by rendering fake login prompts or pages, or for performing forced actions using the victim's authenticated session.

Reproduction

To reproduce this vulnerability, send a POST request to the CMSimple_XH index.php file with a crafted URL path that includes unencoded JavaScript, such as a script tag. The injected script will be reflected in the HTML output and executed by the browser. This can be done by manipulating the search form action attribute, which is vulnerable to the injection.