BlogMagz 1.0 - Stored XSS

2023.06.18
lb CraCkEr (LB) lb
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Author : CraCkEr Website : techrobot.in - https://www.codester.com/items/41338/ Vendor : Tech Robot Software : BlogMagz CMS 1.0 Vuln Type: Stored XSS Impact : Manipulate the content of the site Release Notes: The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Reflected XSS (RXSS) Path: /search GET Parameter 'q' is Vulnerable to Reflected XSS (RXSS) https://website/search?q=[XSS] ## Stored XSS --------------------------------------------------------- POST /blogmagz/ajax/article/add-comment HTTP/2 post_id=8&comment=[XSS Payload] --------------------------------------------------------- ## Steps to Reproduce: 1. Login in Any Normal User Mode 2. Comment On Any Post with Your [XSS Payload] 3. When Admin Visit the Admin Panel The XSS Will Fire On his Browser 4. When the Admin will Visit https://website/blogmagz/admin/pending-comments 5. The XSS Will Fire Again on his Browser [-] Done © CraCkEr 2023


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top