A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the SeaCms V12.9.
Multiple reflective XSS vulnerabilities were discovered in \js\player\dmplayer\play\index.php.
Details
We discovered that Seacms has very strict policies for front-end functionalities, frequently incorporating methods from filter.inc.php ,filter_input, webscan.php, and replace to filter inputs, which has addressed most potential vulnerabilities.
After careful consideration, we have limited this vulnerability to versions before V12.9, as V13 introduced the WEBSCAN module with very strict filtering. This might limit payload execution to a single 2-click scenario. Only in versions prior to V12.9 can a complete exploit chain be constructed for this vulnerability.
In \js\player\dmplayer\play\index.php, we found multiple reflective XSS vulnerabilities, such as with the color, vid, and url parameters.
For the color parameter, code injection can be achieved by closing the preceding . For the vid and url parameters, code injection can be achieved by closing the preceding .
One might ask why these files do not incorporate filter.inc.php. I speculate this might be because they use a third-party player called "ChaoFang Bilibili Danmu Player."
Hebing123
commented
1 month ago
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the SeaCms V12.9. Multiple reflective XSS vulnerabilities were discovered in
\js\player\dmplayer\play\index.php.Details
We discovered that Seacms has very strict policies for front-end functionalities, frequently incorporating methods from filter.inc.php ,filter_input, webscan.php, and replace to filter inputs, which has addressed most potential vulnerabilities. After careful consideration, we have limited this vulnerability to versions before V12.9, as V13 introduced the WEBSCAN module with very strict filtering. This might limit payload execution to a single 2-click scenario. Only in versions prior to V12.9 can a complete exploit chain be constructed for this vulnerability. In \js\player\dmplayer\play\index.php, we found multiple reflective XSS vulnerabilities, such as with the color, vid, and url parameters. For the color parameter, code injection can be achieved by closing the preceding . For the vid and url parameters, code injection can be achieved by closing the preceding .
POC
http://your-ip/js/player/dmplayer/player/index.php?color=%3C/style%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://your-ip/js/player/dmplayer/player/index.php?vid=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
http://your-ip/js/player/dmplayer/player/index.php?url=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
One might ask why these files do not incorporate filter.inc.php. I speculate this might be because they use a third-party player called "ChaoFang Bilibili Danmu Player."