Zotonic 0.46 mod_admin Cross Site Scripting

2019-05-03T00:00:00
ID PACKETSTORM:152717
Type packetstorm
Reporter Ramon Janssen
Modified 2019-05-03T00:00:00

Description

                                        
                                            `# Exploit Title: Zotonic <=0.46 mod_admin (Erlang) - Reflective Cross-Site Scripting  
# Date: 24-04-2019  
# Exploit Author: Ramòn Janssen  
# Researchers: Jan-martin Sijs, Joost Quist, Joost Vondeling, Ramòn Janssen  
# Vendor Homepage: http://zotonic.com/  
# Software Link: https://github.com/zotonic/zotonic/releases/tag/0.46.0  
# Version: <=0.46  
# CVE : CVE-2019-11504  
  
Attack type  
Remote  
  
Impact  
Code Execution  
  
Zotonic versions prior to 0.47 have multiple authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in the management module. The vulnerabilitie can be exploited when an authenticated user with administrative permissions visits the crafted URL (i.e. when phished or visits a website containing the URL). The XSS effects the following URLs and parameters of the management module:  
- /admin/overview/ [qcat, qcustompivot, qs]  
- /admin/users/ [qs]  
- /admin/media/ [qcat,qcustompivot, qs]  
  
Example: https://[host]/admin/overview?qcustompivot="><script>prompt(‘XSS’)</script>  
  
Affected source code file zotonic_mod_admin:  
- zotonic_mod_admin_identity\priv\templates\_admin_sort_header.tpl  
- zotonic_mod_admin_identity\priv\templates\admin_users.tpl  
  
Reference(s)  
http://docs.zotonic.com/en/latest/developer-guide/releasenotes/rel_0.47.0.html  
`