Submit #434188: MonoCMS 23-20240528 Improper Neutralization of Alternate XSS Syntaxinfo

TitleMonoCMS 23-20240528 Improper Neutralization of Alternate XSS Syntax
Description [XSS vulnerability] found in MonoCMS 23-20240528 - (/monofiles/account.php) Affected Project: MonoCMS Web: Php Vendor: MonoCMS Official Website: https://monocms.com/ Version: 23-20240528 Updated: 28 May, 2024 Related Code file: /monofiles/account.php Injection parameter: userid Sha1: 9532cda20cf7fa456d6f00ce0fe194767913ba83 Vulnerability Description: The issue arises because the userid parameter from the URL is being directly inserted into the value attribute of an HTML input element without proper sanitization. This allows an attacker to inject arbitrary HTML or JavaScript code leading to an XSS attack. Vulnerable code: <input name="hiddenid" type="text" value="<?php if (isset($_GET['userid'])) print $_GET['userid'] ?>" hidden> Injection Payload Tested: We set userid to: "><script>alert('XSS')</script> URL-encoded, this becomes: %22%3E%3Cscript%3Ealert('XSS')%3C/script%3E Resulting HTML After Injection: <input name="hiddenid" type="text" value=""><script>alert('XSS')</script>" hidden> The injected "></script> closes the value attribute and the input tag, allowing the <script> tag to be inserted into the DOM. Execution: When the browser parses this HTML, it executes the <script>alert('XSS')</script> code, resulting in a popup displaying "XSS by secuserx". Demonstration: Below is how /monofiles/account.php looks like: https://i.postimg.cc/dV25sxCv/1.png Then we can add our payload "><script>alert('XSS by secuserx')</script> : http://localhost:8080/monofiles/account.php?userid="><script>alert('XSS by secuserx')</script> https://i.postimg.cc/CKwmzsC8/2.png After submitting the url with the vulnerable parameter userid and the XSS payload "><script>alert('XSS by secuserx')</script>, XSS is triggered: https://i.postimg.cc/pdkk85k6/3.png Recommendation for Preventing XSS: To fix this vulnerability, we must always sanitize user inputs before rendering them in the HTML. We can use functions like htmlspecialchars() in PHP to encode special characters. Example: <input name="hiddenid" type="text" value="<?php if (isset($_GET['userid'])) print htmlspecialchars($_GET['userid'], ENT_QUOTES, 'UTF-8') ?>" hidden>
Source⚠️ https://github.com/secuserx/CVE/blob/main/%5BXSS%20vulnerability%5D%20found%20in%20MonoCMS%2023-20240528%20-%20(account.php).md
User
 secuserx (UID 76735)
Submission10/30/2024 01:22 AM (3 months ago)
Moderation11/06/2024 05:37 PM (8 days later)
StatusAccepted
VulDB Entry283326 [MonoCMS up to 20240528 Account Information Page /monofiles/account.php userid cross site scripting]
Points20

Do you know our Splunk app?

Download it now for free!