Description: Multiple Cross-Site Scripting (XSS) vulnerabilities in Quick CMS v6.7 allows a local attacker to execute arbitrary code via a crafted script to the to the Files - Description in the Pages Menu.
Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Description of "Pages- Files Menu" allows injecting JavaScript code that will be executed when the user accesses the web page.
When logging into the panel, we will go to the "Pages - Files ." section off General Menu.
We edit that Description Settings and see that we can inject arbitrary Javascript code in the Desription field.
'"><svg/onload=alert('Description')>
In the following image you can see the embedded code that executes the payload in the main web.