Typesetter CMS Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Typesetter CMS versions 5.1 and prior. This issue resides within the administrative interface, specifically in the Tools Status move message handling. The vulnerability arises because the path parameter is reflected into the HTML output without adequate output encoding, allowing authenticated attackers to inject crafted input containing HTML or JavaScript. This injection could lead to the execution of arbitrary scripts in the context of the affected user's browser session.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute scripts in the context of an authenticated user's browser session.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the Tools Status administrative interface with a crafted path parameter that includes JavaScript or HTML. The injected content will be reflected in the response, executing the script in the user's browser.