Disclosure date:  08/17/19


FuelCMS 1.4.4 and possibly before are affected by a Cross Site Scripting vulnerability in the Create Blocks section of the Admin console.  This could lead to cookie stealing and other malicious
actions.  This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.

From the console, select Blocks, populate the Name field with XSS:

When selecting Save:

We view the XSS exploitation.  We can also view the XSS exploitation in the Activity Log:

Viewing the POST request in Burp:

The source for the corresponding form: