CVE-2024-1529

Name of the Vulnerable Software and Affected Versions CMS Made Simple version 2.2.14

Description The issue arises from insufficient encoding of user-controlled input, leading to a Cross-Site Scripting (XSS) vulnerability. This can be exploited through the "/admin/adduser.php" API endpoint, specifically in multiple parameters. A remote attacker could send a specially crafted JavaScript payload to an authenticated user, potentially taking over their browser session.

Recommendations For CMS Made Simple version 2.2.14, consider disabling access to the "/admin/adduser.php" endpoint until a patch is available. Additionally, restrict the use of multiple parameters in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.