[*] :: Title: EduFirm School & College Web Portal CMS Stored XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-04-27 [*] :: Software: EduFirm School & College Web Portal CMS [?] :: Technical Details & Description: # Weak security measures like no input fields data filtering has been discovered in the «EduFirm School & College Web Portal CMS». [?] :: Demo Website: # https://codecanyon.net/item/edufirm-school-college-web-portal-cms/23658170 # Frontend: http://scweb.businesswithtechnology.com/ # Backend: http://scweb.businesswithtechnology.com/login # Login/Password: webadmin@edufirm.com/123 [!] :: Special Note: # This CMS have a lot of settings, but many of them are blocked on the demo website. This doesn't mean that the web-application is secure. [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Links]: # http://scweb.businesswithtechnology.com # http://scweb.businesswithtechnology.com/admin/page [+] :: PoC [Stored XSS Injection]: # Authorize on the demo website for tests, then go to any page with a text field or text box, f.e. http://scweb.businesswithtechnology.com/admin/settings/general # Click on the «Header & Footer Scripts» tab, you'll see «Header Codes», «Footer Codes» and «Post Foot Codes» text areas. Use your payload in the first text area «Header Codes», f.e. <script>alert('QUIXSS');</script>, or stay on the «Admin & Branding» tab and inject your payload in the «Copyright©» text field. On the http://scweb.businesswithtechnology.com/admin/page page you can inject your payload in the «Title» field. # Sample payload #1: <script>alert('QUIXSS')</script> # Sample payload #2: <img src="x" onerror="window.location.replace('https://twitter.com/quixss');">