Giters

sromanhu / CVE-2023-43342-Quick-CMS-Stored-XSS---Languages-Frontend

Quick CMS 6.7 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload to the Frontend- Pages in the Languages Menu.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Quick CMS Stored XSS v6.7

Author: (Sergio)

Description: A Cross-Site Scripting (XSS) vulnerability in Quick CMS v6.7 allows a local attacker to execute arbitrary code via a crafted script to the to the Front and back end - Pages in the Languages Menu.

Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Pages of "Languages- Front and back end" allows injecting JavaScript code that will be executed when the user accesses the web page.

POC:

When logging into the panel, we will go to the "Languages - Front and back end ." section off General Menu.

XSS payload Languages - Pages

We edit that Front and back end Settings and see that we can inject arbitrary Javascript code in the Pages field.

XSS Payload:

'"><svg/onload=alert('Pages')>

In the following image you can see the embedded code that executes the payload in the main web. XSS Languages - Pages Resultado


Additional Information:

https://opensolution.org/cms-system-quick-cms.html

https://owasp.org/Top10/es/A03_2021-Injection/

About

Quick CMS 6.7 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload to the Frontend- Pages in the Languages Menu.