Composr CMS 10.0.30 – Persistent Cross-Site Scripting

• Exploit Database
• 123 阅读

• 作者： Manuel García Cárdenas
  日期： 2020-05-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48496/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91

  # Title: Composr CMS 10.0.30 - Persistent Cross-Site Scripting # Author: Manuel Garcia Cardenas # Date: 2020-02-06 # Vendor: https://compo.sr/ # CVE: N/A     ============================================= MGC ALERT 2020-001 - Original release date: February 06, 2020 - Last revised:May 21, 2020 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) - CVE-ID: CVE-2020-8789 =============================================   I. VULNERABILITY ------------------------- Composr CMS 10.0.30 - (Authenticated) Cross-Site Scripting   II. BACKGROUND ------------------------- Composr CMS (or Composr) is a web application for creating websites. It is a combination of a Web content management system and Online community (Social Networking) software. Composr is licensed as free software and primarily written in the PHP programming language.   III. DESCRIPTION ------------------------- Has been detected a Persistent XSS vulnerability in Composr CMS, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.   IV. PROOF OF CONCEPT ------------------------- Go to: Security -> Usergroups -> Edit Usergroup   Select one Usergroup (for example Guest) and edit the Name (parameter name) for example with Guests"><script>alert(1)</script>   The variable "name" it is not sanitized, later, if some user visit the "Zone editor" area, the XSS is executed, in the response you can view:   <input type="hidden" name="label_for__access_1" value="Access for Guests"><script>alert(1)</script>" />   V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or Javascript code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.   VI. SYSTEMS AFFECTED ------------------------- Composr CMS<= 10.0.30   VII. SOLUTION ------------------------- Disable until a fix is available.   VIII. REFERENCES ------------------------- https://compo.sr/   IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).   X. REVISION HISTORY ------------------------- February 06, 2020 1: Initial release May 21, 2020 2: Last revision   XI. DISCLOSURE TIMELINE ------------------------- February 06, 2020 1: Vulnerability acquired by Manuel Garcia Cardenas February 06, 2020 2: Send to vendor April 06, 2020 3: New request, vendor doesn't answer. May 21, 2020 4: Sent to lists   XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.   XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester