$_GET['cs-msg'] is not escaped.
So we have reflected XSS. What is more important it bypass Google Chrome XSS Auditor (tested on 39.0.2171.95):
But we can elevate this to normal XSS by creating new text sidebar which will be displayed on every page:
Proof of Concept:
Admin must visit this crafted urls:
- 11-01-2015: Discovered
- 11-01-2015: Vendor notified
- 13-01-2015: Version 18.104.22.168 released, issue resolved