Cross Site Scripting (globalmetadata) (CMS Made Simple)
Description
CMS Made Simple version 2.1.6 contains a stored cross-site scripting (XSS) vulnerability in the Global Metadata field located in the administrative interface (Admin > Site Settings > General Settings). Authenticated administrators can inject malicious JavaScript or HTML code into this field, which will execute in the browsers of other users who view pages containing the metadata. This vulnerability is tracked as CVE-2017-6556 and affects the trust boundary between administrative users.
Remediation
Upgrade CMS Made Simple to version 2.2 or later, which addresses this vulnerability. To remediate this issue:
1. Back up your current CMS Made Simple installation and database
2. Download version 2.2 or later from the official CMS Made Simple website
3. Follow the official upgrade documentation to update your installation
4. After upgrading, review the Global Metadata field content for any suspicious or unexpected JavaScript/HTML code
5. Clear the field and re-enter legitimate metadata if any malicious content is found
As a temporary mitigation if immediate upgrading is not possible, restrict administrative access to trusted users only, implement additional authentication controls for administrative accounts, and regularly audit the Global Metadata field for unauthorized modifications. However, upgrading remains the only complete solution.