Concrete5 8.5.4 Cross Site Scripting

2021.03.02

Credit: nu11secur1ty

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2021-3111

CWE: CWE-79

CVSS Base Score: 3.5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 6.8/10

Exploit range: Remote

Attack complexity: Medium

Authentication: Single time

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

# Exploit Title: Cross site scripting(XSS)
# Author: nu11secur1ty
# Date: 02.27.2021
# Vendor: https://www.concrete5.org/download
# Link: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3111
# CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3111
[Exploit]
# Place
- Navigate to entries directory
concrete5-8.5.4/index.php/dashboard/express/entries/
# PoC
- Copy and paste the int_string in to Handle field
nu11secur1ty0000000111111100101010100100100100101010101
- fill in the remaining fields and save
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://www.exploit-db.com/
https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Concrete5 8.5.4 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.