News247 News Magazine 1.0 Cross Site Scripting

2022.09.15
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

# Exploit Title: News247 - News Magazine (CMS) v1.0 – Stored Cross Site Scripting (XSS) # Exploit Author: Ravinder Verma # Date: Septmeber 14, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/14952/news247-news-magazine-php-script.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/news247.zip # Tested on: Kali Linux, Apache, Mysql # Vendor: 255programmer # Version: v1.0 # CVE [Reserved] : CVE-2021-41731 # Exploit Description: # News247 - News Magazine (CMS) v1.0 suffers from a stored cross site scripting (XSS) Vulnerability. Admin can publish blogs under various categories. When creating new "blog category", if admin give malicious payload like *""><img src=x onerror=alert(document.cookie)>* into the category name field and publish that blog. Then it allows you to execute arbitrary JavaScript in the context of the whole user who visited that page. It can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top