CVE-2023-43872 - File Upload Vulnerability in CMS Made Simple 2.2.18 Allows Hidden XSS in PDF Files

CMS Made Simple (CMSMS) is a pretty popular web content management system, used for building websites quickly and easily. But sometimes, simple tools come with simple mistakes—just like in the case of CVE-2023-43872. In this post, I’ll walk you through how a local attacker can use CMSMS version 2.2.18 to upload a PDF file with hidden Cross Site Scripting (XSS) payload, and why it’s a big deal. We’ll look at the code flow, exploit details, and how you can protect your website from this.

What is CVE-2023-43872?

CVE-2023-43872 is a vulnerability in CMS Made Simple v2.2.18 that allows local attackers (like users with backend access, such as editors) to upload malicious PDF files. The trick is: these PDFs aren’t just documents—they can hide XSS scripts which then get executed when viewed in the browser by others (like admins).

Official Reference

- NVD Entry
- CMS Made Simple Downloads
- Github Advisory *(May not exist, for example)*

1. Upload Functionality

CMSMS allows users to upload files—mostly so editors can attach images, documents, PDFs and more to website content.

But, the file upload procedure in admin/filemanager doesn’t check if, say, a uploaded PDF actually only contains safe data. It just checks file type and extension.

2. PDFs as XSS Vectors

Most people think PDFs are safe. But, web browsers often use PDF.js or similar viewers to show PDFs inline. These viewers can be tricked into rendering parts of the PDF as HTML, or the PDF could link back to the main page using JavaScript URIs embedded inside.

A specially-crafted PDF *can* contain <script> blocks, or malicious links, and when opened by an unsuspecting admin or user inside CMSMS, these scripts might get executed in the context of CMSMS’s domain—classic Cross Site Scripting!

Proof-of-Concept (PoC) Attack

Here’s a simplified example of how an exploit could work.

Step 1: The attacker logs in with editor privileges.

Step 2: The attacker creates a malicious PDF containing an XSS payload.
There are free tools online for adding JUICY JavaScript to PDFs, but here's how you could do it with pdf-lib and a script tag in a link field, or even simpler—with the help of *bad intentions* and a PDF editor.

Sample Malicious PDF Creation Code (Node.js)

const fs = require('fs');
const { PDFDocument } = require('pdf-lib');

// Create a new PDF document
const pdfDoc = await PDFDocument.create();
const page = pdfDoc.addPage([600, 400]);

// Add unusual link annotation with javascript:
page.drawText('Click here', { x: 50, y: 300 });

page.node.set('Annots', pdfDoc.context.obj([
  pdfDoc.context.obj({
    Type: 'Annot',
    Subtype: 'Link',
    Rect: [50, 300, 150, 330],
    A: {
      S: 'JavaScript',
      JS: pdfDoc.context.str('app.alert("XSS")'),
    }
  })
]));

// Save the PDF
const pdfBytes = await pdfDoc.save();
fs.writeFileSync('xss.pdf', pdfBytes);

In reality, attackers can use online tools like Hexway PDF XSS Tool or just download existing payload samples.

Step 3: Upload PDF to CMS Made Simple via Admin > File Manager.

Step 4: Admin or high-privilege user views the PDF in the browser inline, or as a download—depending on configuration, the payload runs!

### How to Spot/Verify the Vulnerability

You need a locally authenticated user.

Click upload, pick a crafted PDF

3. Save/upload file

Open PDF in browser through file manager or page link

5. See if the XSS fires: Try <script>alert("Hacked!")</script> in your payload, or use browser debugging tools.

Why is This Dangerous?

- Privilege Escalation: If an admin opens the malicious PDF, attacker can steal session cookies, change settings, or even add a new admin user!

Stealing Info: The XSS can grab sensitive data from the CMSMS backend.

- Persistent Attack: As the malicious PDF sits in the file manager, anyone viewing it is at risk—until deleted.

1. Strict File Validation

Do not trust PDFs. Before allowing upload, run uploaded PDFs through content sniffers or use only trusted file types.

Set your web server so PDFs are always downloaded, not displayed in-browser. Add to .htaccess

AddType application/octet-stream .pdf

3. Sanitize Output

Don’t render uploaded files directly; always use safe download endpoints.

### 4. Patch/Upgrade
Check for patched versions of CMS Made Simple or plugins that improve upload safety.

Conclusion

CVE-2023-43872 is a great reminder that “safe” file types like PDF are not always innocuous. CMS Made Simple 2.2.18 lets local attackers upload infected PDFs that can hide Cross Site Scripting payloads—a potential disaster if an admin casually opens the wrong file.

References

- CVE-2023-43872 at NVD
- CMS Made Simple Security Announcements
- OWASP File Upload Cheat Sheet


*This guide is written for educational purposes only—don’t use it for unauthorized access or testing! Spread awareness, not malware.*

Timeline

Published on: 09/28/2023 14:15:24 UTC
Last modified on: 10/30/2023 19:45:30 UTC