Multiple cross-site scripting (XSS) vulnerabilities in cms/front_content.php in Contenido before 4.9.6, when advanced mod rewrite (AMR) is disabled, allow remote attackers to inject arbitrary web script or HTML via the (1) idart, (2) lang, or (3) idcat parameter.
Contenido CMS versions prior to 4.9.6 are vulnerable to cross-site scripting (XSS) attacks due to improper sanitization of user-supplied input. This allows attackers to inject malicious JavaScript into web pages, potentially leading to account compromise, data theft, and website defacement.
Step 1: Payload Delivery: The attacker crafts a malicious URL containing a JavaScript payload within the idart, lang, or idcat parameter.
Step 2: Request Submission: The attacker sends the crafted URL to a victim, typically through phishing, social engineering, or other means.
Step 3: Server Processing: The victim's browser sends the request to the vulnerable Contenido CMS server.
Step 4: Vulnerable Code Execution: The cms/front_content.php script processes the request, retrieves the values of the idart, lang, or idcat parameters, and inserts them directly into the HTML output without proper sanitization.
Step 5: Payload Execution: The victim's browser renders the HTML, including the attacker's injected JavaScript payload. This payload then executes within the context of the victim's browser, allowing the attacker to perform actions such as stealing cookies, redirecting the user, or defacing the website.
The vulnerability stems from insufficient input validation and output encoding in cms/front_content.php when Advanced Mod Rewrite (AMR) is disabled. Specifically, the script fails to properly sanitize the idart, lang, and idcat parameters before rendering them in the HTML output. This allows an attacker to inject arbitrary JavaScript code within these parameters, which is then executed by the victim's browser. The root cause is a lack of proper input validation and output encoding (e.g., HTML entity encoding) for user-supplied data, leading to reflected XSS.