Plone CMS 5.2.3 – ‘Title’ Stored XSS

• Exploit Database
• 34 阅读

• 作者： Piyush Patil
  日期： 2021-03-19
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49668/

• # Exploit Title: Plone CMS 5.2.3 - 'Title' Stored XSS
  # Date: 18-03-2021
  # Exploit Author: Piyush Patil
  # Vendor Homepage: https://plone.com/
  # Software Link: https://github.com/plone/Products.CMFPlone/tags
  # Version: 5.2.3
  # Tested on: Windows 10
  
  
  # Reference - https://github.com/plone/Products.CMFPlone/issues/3255
  
  Steps to reproduce the issue:
  1- Goto https://localhost/ where Plone 5.2.3 version is installed.
  2- Click on "Log in now" and Login as "Manager"
  3- Navigate to Manager=>Site Setup=>Site
  4- Edit "Site title" field to "xyz<ScRiPt>alert(1)</ScRiPt>"