CVE: 2023-41436
Description: Cross Site Scripting vulnerability in CSZCMS v.1.3.0 allows a local attacker to execute arbitrary code via a crafted script to the Additional Meta Tag parameter in the Pages Content Menu component.
Attack Vectors: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CVSS3 Score: 5.4 - MEDIUM
When logging into the panel, we will go to the "Pages Content" section off General Menu [(http://localhost/cszcms/admin/pages)]
We edit the Content of /home and see that we can inject arbitrary Javascript code into the Additional Meta tag field.
<img src=1 onerror=alert("1")
In the following image you can see the embedded code that executes the payload in the main web /home with the admin user:
If we log in with another user, the payload also skips:
It can also be verified using other payloads as in the following evidence:
Or this other:
http://cszcms.com https://owasp.org/Top10/es/A03_2021-Injection/ https://owasp.org/www-community/attacks/xss/