| Titolo | NodCMS 3.4.1 - Stored XSS |
|---|
| Descrizione | Author : skalvin aka (CraCkEr)
Date : 28/06/2023
Website : https://nodcms.com/ - https://github.com/khodakhah/nodcms
Vendor : NodCMS by Chic Theme
Software : NodCMS 3.4.1 - Stored XSS
Vuln Type: Stored XSS
Impact : Manipulate the content of the site
Release Notes:
Allow Attacker to inject malicious code into website, give ability to steal sensitive
information, manipulate data, and launch additional attacks.
## Stored XSS
------------------------------------------------------------
POST /en/blog-comment-4 HTTP/1.1
comment_name=[XSS Payload]&comment_content=[XSS Payload]
------------------------------------------------------------
POST parameter 'comment_name' is vulnerable to XSS
POST parameter 'comment_content' is vulnerable to XSS
## Steps to Reproduce:
1. Surf (as Guest) "Without Register on Website"
2. Go to [Blog] on this Path (https://website/en/blog)
3. Click [Send a comment]
4. Inject your [XSS Payload] in "Name"
5. Inject your [XSS Payload] in "Comment"
6. Send
7. XSS will Fire & Execute in the visitor's Browser when they visit the page you comment on
6. When ADMIN Visit [Client's Comments] to Check [Blog comments list] in Administration Panel on this Path (https://website/admin-blog/comments
8. XSS will Fire & Executed on his Browser
[-] Done |
|---|
| Utente | skalvin (UID 49463) |
|---|
| Sottomissione | 28/06/2023 20:49 (3 anni fa) |
|---|
| Moderazione | 12/07/2023 18:09 (14 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 233887 [khodakhah NodCMS 3.4.1 POST Request /en/blog-comment-4 comment_name/comment_content cross site scripting] |
|---|
| Punti | 17 |
|---|