Description: File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden XSS.
Attack Vectors: A vulnerability in File Manager file upload sanitation allows you to upload a PDF file with hidden XSS.
When logging into the panel, we will go to the "Content- File Manager." section off General Menu.
We upload the PDF file with the hidden XSS and we see that we can execute it and the Reflected XSS appears.
https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html