Submit #175493: NodCMS 3.4.1 - Stored XSSinfo

TitleNodCMS 3.4.1 - Stored XSS
DescriptionAuthor : skalvin aka (CraCkEr) Date : 28/06/2023 Website : https://nodcms.com/ - https://github.com/khodakhah/nodcms Vendor : NodCMS by Chic Theme Software : NodCMS 3.4.1 - Stored XSS Vuln Type: Stored XSS Impact : Manipulate the content of the site Release Notes: Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. ## Stored XSS ------------------------------------------------------------ POST /en/blog-comment-4 HTTP/1.1 comment_name=[XSS Payload]&comment_content=[XSS Payload] ------------------------------------------------------------ POST parameter 'comment_name' is vulnerable to XSS POST parameter 'comment_content' is vulnerable to XSS ## Steps to Reproduce: 1. Surf (as Guest) "Without Register on Website" 2. Go to [Blog] on this Path (https://website/en/blog) 3. Click [Send a comment] 4. Inject your [XSS Payload] in "Name" 5. Inject your [XSS Payload] in "Comment" 6. Send 7. XSS will Fire & Execute in the visitor's Browser when they visit the page you comment on 6. When ADMIN Visit [Client's Comments] to Check [Blog comments list] in Administration Panel on this Path (https://website/admin-blog/comments 8. XSS will Fire & Executed on his Browser [-] Done
User
 skalvin (UID 49463)
Submission06/28/2023 20:49 (3 years ago)
Moderation07/12/2023 18:09 (14 days later)
StatusAccepted
VulDB entry233887 [khodakhah NodCMS 3.4.1 POST Request /en/blog-comment-4 comment_name/comment_content cross site scripting]
Points17

Do you know our Splunk app?

Download it now for free!