minewebcms 1.15.2 – Cross-site Scripting (XSS)

• Exploit Database
• 14 阅读

• 作者： Chetanya Sharma
  日期： 2022-04-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50853/

• # Exploit Title: minewebcms 1.15.2 - Cross-site Scripting (XSS)
  # Google Dork: NA
  # Date: 02/20/2022
  # Exploit Author: Chetanya Sharma @AggressiveUser
  # Vendor Homepage: https://mineweb.org/
  # Software Link: https://github.com/mineweb/minewebcms
  # Version: 1.15.2
  # Tested on: KALI OS
  # CVE : CVE-2022-1163
  #
  ---------------
  
  Steps to Reproduce:-
  => Install the WebApp and Setup it
  => Login in to webAPP using Admin Creds. 
  => Navigate to "http://localhost/MineWebCMS-1.15.2/admin/navbar"
  => Add/Edit a Link Select "Drop-Down Menu"
  => "Link Name" and "URL" Both Input are Vulnerable to Exploit Simple XSS 
  =>Payload : <script>alert(1);</script>
  => XSS will trigger on "http://localhost/MineWebCMS-1.15.2/" Aka WebApp HOME Page
  
  Note : As you can see this simple payload working in those two inputs as normally . Whole WebApp Admin Input Structure is allow to do HTML Injection or XSS Injection 
  
  References: https://huntr.dev/bounties/44d40f34-c391-40c0-a517-12a2c0258149/