Lucene search
Aldi Saputra WahyudiPACKETSTORM:178900HistoryJun 03, 2024 - 12:00 a.m.
Sitefinity 15.0 Cross Site Scripting
2024-06-0300:00:00
Aldi Saputra Wahyudi
packetstormsecurity.com
47
sitefinity cms
cross-site scripting
sf editor
exploit
aldi saputra wahyudi
cve-2023-27636
windows
linux
`# Exploit Title: Sitefinity 15.0 - Cross-Site Scripting (XSS)
# Date: 2023-12-05
# Exploit Author: Aldi Saputra Wahyudi
# Vendor Homepage: https://www.progress.com/sitefinity-cms
# Version: < 15.0.0
# Tested on: Windows/Linux
# CVE : CVE-2023-27636
# Description: In the backend of the Sitefinity CMS, a Cross-site scripting vulnerability has been discovered in all features that use SF-Editor
# Steps To Reproduce:
Attacker as lower privilege
Victim as Higher privilege
1. Login as an Attacker
2. Go to the function using the SF Editor, go to the news page as example
3. Create or Edit news item
4. On the content form, insert the XSS payload as HTML
5. After the payload is inserted, click on the content form (just click) and publish or save
6. If the victim visits the page with XSS payload, XSS will be triggered
Payload: <noalert><iframe src="javascript:alert(document.domain);">
`
Related
cvelist
cvelist
CVE-2023-27636
2024-06-16 00:00:00
zdt
zdt
Sitefinity 15.0 - Cross-Site Scripting Vulneraility
2024-06-04 00:00:00
vulnrichment
vulnrichment
CVE-2023-27636
2024-06-16 00:00:00
nvd
nvd
CVE-2023-27636
2024-06-16 21:15:50
cve
cve
CVE-2023-27636
2024-06-16 21:15:50
exploitdb
exploitdb
Sitefinity 15.0 - Cross-Site Scripting (XSS)
2024-06-03 00:00:00