CVE-2023-43345 in Quick
Summary
by MITRE • 10/25/2023
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Content - Name parameter in the Pages Menu component.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/05/2026
This cross-site scripting vulnerability exists within the opensolution Quick CMS version 6.7, specifically targeting the Pages Menu component where the Content - Name parameter fails to properly sanitize user input. The flaw represents a classic reflected XSS vulnerability that enables attackers to inject malicious scripts into web pages viewed by other users. The vulnerability arises from insufficient input validation and output encoding mechanisms within the CMS's administrative interface, allowing an attacker to manipulate the Content - Name field with malicious payloads that execute in the context of other users' browsers.
The technical exploitation of this vulnerability requires a local attacker to leverage their access to the CMS administrative interface to inject crafted scripts into the Content - Name parameter. This type of vulnerability falls under CWE-79 - Improper Neutralization of Input During Web Page Generation, which specifically addresses the failure to properly encode or escape user-controllable data before including it in web page output. The attack vector operates through the web application's failure to implement proper input sanitization and output encoding controls, creating an environment where malicious scripts can be executed within the browser context of authenticated users.
The operational impact of this vulnerability extends beyond simple script execution, as it can potentially enable attackers to escalate privileges, steal session cookies, perform unauthorized actions on behalf of legitimate users, and access sensitive administrative functions. The local attacker position provides a significant advantage since they already possess legitimate access to the system, making the attack surface more limited but potentially more dangerous in terms of privilege escalation and data compromise. This vulnerability can facilitate session hijacking attacks, allowing unauthorized access to administrative functions and potentially leading to full system compromise. The attack can result in persistent XSS payloads that remain active until the affected page is reloaded or the session expires.
Mitigation strategies should focus on implementing comprehensive input validation and output encoding controls throughout the application's codebase, particularly within the Pages Menu component where the vulnerability exists. The recommended approach includes implementing strict parameter validation for all user-controllable inputs, utilizing proper HTML escaping mechanisms for output rendering, and applying Content Security Policy headers to limit script execution. Security measures should also include regular code reviews focusing on input handling and sanitization, implementing proper access controls to limit local administrative access, and deploying web application firewalls to detect and block malicious payloads. Organizations should consider applying the vendor-provided patch or upgrade to a secure version of Quick CMS as soon as possible, while also implementing monitoring for suspicious activities in the administrative interface that could indicate exploitation attempts. The remediation process should align with ATT&CK technique T1548.001 - Valid Accounts and T1566.001 - Phishing, as these techniques often accompany XSS exploitation efforts and should be monitored for in security operations centers.