News247 News Magazine 1.0 Cross Site Scripting

2022.09.15

Credit: Ravinder Verma

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2021-41731

CWE: CWE-79

# Exploit Title: News247 - News Magazine (CMS) v1.0 – Stored Cross Site Scripting (XSS) 
# Exploit Author: Ravinder Verma 
# Date: Septmeber 14, 2022 
# Vendor Homepage: https://www.sourcecodester.com/php/14952/news247-news-magazine-php-script.html 
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/news247.zip 
# Tested on: Kali Linux, Apache, Mysql 
# Vendor: 255programmer 
# Version: v1.0 
# CVE [Reserved] : CVE-2021-41731 
# Exploit Description:

#   News247 - News Magazine (CMS) v1.0 suffers from a stored cross site
scripting (XSS) Vulnerability. Admin can publish blogs under various
categories. When creating new "blog category", if admin give malicious
payload like *""><img src=x onerror=alert(document.cookie)>* into the
category name field and publish that blog. Then it allows you to execute
arbitrary JavaScript in the context of the whole user who visited that
page. It can be abused to steal session cookies, perform requests in the
name of the victim or for phishing attacks.

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

News247 News Magazine 1.0 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.