MaxSite CMS Cross-Site Scripting Vulnerability in Mail Send Plugin

A cross-site scripting (XSS) vulnerability has been identified in MaxSite CMS versions prior to 109.4, specifically within the mail_send plugin. The issue arises from the plugin's failure to properly sanitize user input in the f_subject, f_files, and f_from fields, allowing attackers to inject malicious scripts. This vulnerability can be exploited remotely and has been publicly disclosed. Successful exploitation requires user interaction, as the injected script is executed in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where the injected script is executed in the context of other users, potentially leading to account compromise or unauthorized actions within the MaxSite CMS administrative panel.

Reproduction

To reproduce this vulnerability, send a request to the mail_send plugin with the f_subject, f_files, or f_from parameters containing unescaped JavaScript. The injected script will be executed when the data is viewed by another user.

Remediation

Upgrade to MaxSite CMS version 109.4 or later, where this vulnerability has been addressed.