Description
CMS Sense version 2.0 suffers from a cross site scripting vulnerability...
Basic Information
ID
PACKETSTORM:218892
Published
Apr 14, 2026 at 00:00
Affected Product
Affected Versions
==================================================================================================================================
| # Title : CMS sense v 2.0 HTML Injection Leading to XSS via Attribute Breakout |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://senseconseil.com/en/ |
==================================================================================================================================
[+] Summary : A vulnerability has been identified in a content management script due to improper input sanitization. An attacker can inject
malicious HTML payloads such as "><b>test</b> to break out of HTML attributes and manipulate the DOM structure.
This issue can be escalated into Cross-Site Scripting (XSS), allowing execution of arbitrary JavaScript in the victimβs browser.
Successful exploitation may lead to session hijacking, cookie theft, and unauthorized actions performed on behalf of the user.
[+] POC : in search box https://127.0.0.1/fr/recherche
An attacker can break the context of HTML attributes using a simple payload like: "><b>test</b>
This results in the insertion of unauthorized HTML elements into the page and can later be developed into a JavaScript execution.
[+] Technical Details :
The application displays user input within an HTML element without any filtering: <input value="USER_INPUT">
When the following is entered: "><b>test</b>
It is interpreted as follows: <input value=""><b>test</b>">
[+] Context broken and a new HTML element injected
[+] Proof of Concept Payload:"><script>alert(document.cookie)</script>
[+] Steps to Reproduce
Go to any input field within the script (form/URL parameter)
Enter the following payload: "><script>alert(1)</script>
[+] Send the request
The JavaScript will be executed in the browser
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
| # Title : CMS sense v 2.0 HTML Injection Leading to XSS via Attribute Breakout |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://senseconseil.com/en/ |
==================================================================================================================================
[+] Summary : A vulnerability has been identified in a content management script due to improper input sanitization. An attacker can inject
malicious HTML payloads such as "><b>test</b> to break out of HTML attributes and manipulate the DOM structure.
This issue can be escalated into Cross-Site Scripting (XSS), allowing execution of arbitrary JavaScript in the victimβs browser.
Successful exploitation may lead to session hijacking, cookie theft, and unauthorized actions performed on behalf of the user.
[+] POC : in search box https://127.0.0.1/fr/recherche
An attacker can break the context of HTML attributes using a simple payload like: "><b>test</b>
This results in the insertion of unauthorized HTML elements into the page and can later be developed into a JavaScript execution.
[+] Technical Details :
The application displays user input within an HTML element without any filtering: <input value="USER_INPUT">
When the following is entered: "><b>test</b>
It is interpreted as follows: <input value=""><b>test</b>">
[+] Context broken and a new HTML element injected
[+] Proof of Concept Payload:"><script>alert(document.cookie)</script>
[+] Steps to Reproduce
Go to any input field within the script (form/URL parameter)
Enter the following payload: "><script>alert(1)</script>
[+] Send the request
The JavaScript will be executed in the browser
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================