MaxSite CMS Antispam Plugin Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Antispam Plugin of MaxSite CMS, affecting versions prior to 109.4. The issue arises in the file '/admin/plugin_antispam', where the 'f_logging_file' parameter is not properly sanitized, allowing attackers to inject malicious scripts. This vulnerability can be exploited remotely and is classified as a stored XSS, meaning the injected script is saved and can affect multiple users. The vulnerability has been publicly disclosed and exploited.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, upload a script payload into the 'f_logging_file' parameter via the Antispam Plugin's admin interface. The lack of proper input sanitization will allow the script to be executed when the logged information is viewed.

Remediation

Users are advised to upgrade to MaxSite CMS version 109.4 or later, where this vulnerability has been addressed.