CMSimple 5.2 XSS漏洞

From PwnWiki
Revision as of 16:10, 8 April 2021 by Pwnwiki (talk | contribs) (Created page with "==INFO== # Exploit Title: CMSimple 5.2 - 'External' Stored XSS # Date: 2021/04/07 # Exploit Author: Quadron Research Lab # Version: CMSimple 5.2 # Tested on: Windows 10 x64 HU...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

INFO

  1. Exploit Title: CMSimple 5.2 - 'External' Stored XSS
  2. Date: 2021/04/07
  3. Exploit Author: Quadron Research Lab
  4. Version: CMSimple 5.2
  5. Tested on: Windows 10 x64 HUN/ENG Professional
  6. Vendor: https://www.cmsimple.org/en/

[Description] The CMSimple 5.2 allow stored XSS via the Settings > CMS > Filebrowser > "External:" input field.

[Attack Vectors] The CMSimple cms "Filebrowser" "External:" input field not filter special chars. It is possible to place JavaScript code. The JavaScript code placed here is executed by clicking on the Page or Files tab.

[Proof of Concept] https://github.com/Quadron-Research-Lab/CVE/blob/main/CMSimple_5.2_XSS.pdf

Retrieved from "https://pwnwiki.com/index.php?title=CMSimple_5.2_XSS漏洞&oldid=1250"