Pligg CMS 2.0.2 Stored XSS

2015.04.23

Credit: Joel V

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Hi Team,
#Affected Vendor: http://pligg.com/
#Date: 23/04/2015
#Discovered by: Joel Vadodil Varghese
#Type of vulnerability: Persistent XSS
#Tested on: Windows 8.1
#Product: Pligg CMS
#Version: 2.0.2
#Tested Link: http://localhost/pligg/admin/admin_page.php
Description: Pligg CMS is a content management platform that powers tens of thousands of websites. It specializes in creating social publishing networks, where users submit and promote content similar to sites like Digg, Reddit, and Mixx.Pligg CMS is vulnerable to stored xss vulnerability. The parameter "page_title" and "page_content" are the vulnerable parameter which will lead to its compromise.
#Proof of Concept (PoC): "><img src="a.jpg" onerror="alert('XSS')"/>
--
Regards,
Joel V

References:

http://localhost/pligg/admin/admin_page.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Pligg CMS 2.0.2 Stored XSS

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.