CVE-2023-43343 in Quick CMSinfo

Summary

by MITRE • 10/25/2023

Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Files - Description parameter in the Pages Menu component.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/05/2026

This cross-site scripting vulnerability exists within the opensolution Quick CMS version 6.7, specifically targeting the Pages Menu component where the Files - Description parameter is processed. The flaw represents a classic server-side input validation failure that enables persistent XSS attacks, allowing malicious actors to inject malicious scripts into the application's response. The vulnerability is classified as a local attack vector, meaning that an attacker must already have some level of access to the system to exploit this weakness, though this access level may be relatively low given the nature of CMS administration interfaces. The issue stems from insufficient sanitization of user-supplied input in the description field, which is then rendered without proper encoding or filtering mechanisms. This vulnerability directly maps to CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental weakness in web application security that allows attackers to inject malicious scripts into web pages viewed by other users. The attack follows the typical XSS exploitation pattern where an attacker crafts a malicious script payload that gets stored in the application's database and subsequently executed in the context of other users' browsers. The operational impact of this vulnerability is significant as it can lead to session hijacking, credential theft, data exfiltration, and potential privilege escalation within the CMS environment. Attackers could leverage this vulnerability to gain unauthorized access to administrative functions or to manipulate content in ways that could compromise the entire website's integrity. The ATT&CK framework categorizes this as a web application attack vector under T1566 - Phishing, where the malicious script could be used to harvest user credentials or redirect users to malicious sites. The vulnerability's persistence stems from the fact that the malicious script is stored in the database and executed every time the affected page is loaded, making it particularly dangerous for long-term exploitation. The CMS's Pages Menu component serves as the attack surface where the vulnerable parameter is processed, indicating that any user with access to modify page descriptions could potentially exploit this weakness. This type of vulnerability is particularly concerning in content management systems where multiple users may have varying levels of access and where content is frequently edited and published. The security implications extend beyond simple script execution as this vulnerability could enable attackers to manipulate the CMS's administrative interface, potentially leading to complete system compromise. Organizations using this CMS version should immediately assess their access controls and implement proper input validation mechanisms to prevent malicious scripts from being stored in the system. The vulnerability highlights the importance of implementing proper output encoding and input validation at every point where user data is processed and rendered within web applications. Mitigation strategies should include immediate patching of the CMS to the latest version, implementation of web application firewalls, and comprehensive security testing of all input parameters. Additionally, organizations should consider implementing Content Security Policy headers to prevent unauthorized script execution even if similar vulnerabilities exist in other components of the application. The presence of such a vulnerability in a widely used CMS underscores the critical need for regular security assessments and prompt patch management to prevent exploitation by threat actors.

Reservation

09/18/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00677

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!