Commonspot CMS 5.1.0.x Cross Site Scripting vulnerabilities
Multiple reflected cross-site scripting vulnerabilities in PaperThin's CommonSpot CMS 5.0 and 5.1, reachable through loader.cfm, let an attacker hijack an administrator session or stage CSRF and phishing attacks against the platform.
CVSS Score
Severity
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Advisory
| Vendor | PaperThin |
| Software | CommonSpot CMS |
| Vulnerable Versions | 5.0.x through 5.1 (tested on 5.1.0.128, 5.0.3.132, 5.0.2.56) |
| Impact | Credential theft, CSRF, phishing via reflected XSS |
| Solution Status | Not fixed |
Background
CommonSpot by PaperThin is a commercial content management system. Business users author and publish content through loader.cfm and its supporting modules.
Description
Parameters passed to loader.cfm are reflected into the response without sanitization. An attacker who lures a logged-in admin to click a crafted URL can execute arbitrary JavaScript in that admin's browser, steal session credentials, issue CSRF requests against the CMS, or stage phishing.
Exploit / Proof of Concept
loader.cfm?csModule=security/email-login-info&errmsg=<img%20src=%27x%27%20onerror=%22alert%280%29;%22>&bNewWindow=0Remediation
Upgrade Commonspot CMS to a patched release; no fix was issued by PaperThin for 5.0.x–5.1.x at disclosure.