BlackCat CMS 1.3.6 Cross Site Scripting

2021.02.18

Credit: Kamaljeet Kumar

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: BlackCat CMS 1.3.6 - 'Display name' Cross Site Scripting (XSS)
# Date: 16-02-2021
# Exploit Author: Kamaljeet Kumar - TATA Advanced Systems Limited
# Vendor Homepage: https://blackcat-cms.org/
# Software Link: https://blackcat-cms.org/page/download.php
# Version: BlackCat CMS - 1.3.6
# Tested on: Windows
# Steps to Reproduce:
1. To exploit this vulnerability an attacker has a login in the admin panel and clicks on the admin profile button. Then use " onmouseover=alert(1) " this XSS payload on Display name field and click on the Save button.
2 .Then refresh the page and hover the mouse on Display name filed and our XSS message pop up.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

BlackCat CMS 1.3.6 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.