CVE-2021-39609

2021-08-23T00:00:00
ID AKB:24B56E10-12AC-4F3F-B9A8-B937DAA44314
Type attackerkb
Reporter AttackerKB
Modified 2021-08-31T00:00:00

Description

Cross Site Scripting (XSS) vulnerability exiss in FlatCore-CMS 2.0.7 via the upload image function.

Recent assessments:

nu11secur1ty at August 26, 2021 10:22am UTC reported:

Description:

Cross-Site Scripting (XSS SVG – Stored – PWNED PHPSESSID RCE) vulnerability exists in FlatCore-CMS 2.0.7 via the upload image function.
When the malicious user trick the administrator of the CMS system to upload the malicious SVG file, then
he can be already executed this code from everywhere on the internet, and the thing will be more worst than ever for the owner of this CMS system! ;)

@nu11secur1ty


Reproduce:

<https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-39609>

Proof:

<https://streamable.com/p13hgj>

Proof: PHPSESSID PWNED

<https://streamable.com/9aj8o6>

Cherylyin at August 31, 2021 10:40am UTC reported:

Description:

Cross-Site Scripting (XSS SVG – Stored – PWNED PHPSESSID RCE) vulnerability exists in FlatCore-CMS 2.0.7 via the upload image function.
When the malicious user trick the administrator of the CMS system to upload the malicious SVG file, then
he can be already executed this code from everywhere on the internet, and the thing will be more worst than ever for the owner of this CMS system! ;)

@nu11secur1ty


Reproduce:

<https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-39609>

Proof:

<https://streamable.com/p13hgj>

Proof: PHPSESSID PWNED

<https://streamable.com/9aj8o6>

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 2