search

boiteasite / cmsuno

An easy and clever tool to create one-page responsive websites
27 stars 8 forks source link

CMSuno v1.7 stored XSS #17

Closed splint3rsec closed 3 years ago

splint3rsec commented 3 years ago

Hi :)

cmsuno version 1.7 is vulnerable to a stored cross site scripting. An authenticated attacker can inject a payload while updating the template's image filename after intercepting the request using Burpsuite via the tgo parameter. After successful update of the template, the xss is poped up in the website page.

Steps to reproduce

  1. Go to /uno.php and click on plugins
  2. Click on Logo 1
  3. Choose a random picture in your files repository, click on save and intercept the request using BurpSuite
  4. Change the tgo parameter value with the following 2
  5. Forward the request and click on publish 3
  6. Click on See the website 4
  7. XSS 5 6

Thanks

boiteasite commented 3 years ago

Hi,

Thanks for this full report. I will fix that.

Regards

boiteasite commented 3 years ago

This is fixed. V1.7.1

Regards

splint3rsec commented 3 years ago

Hi @boiteasite ! Thank you for the patch, is it possible to request a CVE ID?

fgeek commented 3 years ago

CVE-2021-36654 has been assigned for this issue. You can request CVEs via https://cveform.mitre.org/.

boiteasite commented 3 years ago

Thank you Henri, I did not know this site.

splint3rsec commented 3 years ago

Thank you @fgeek @boiteasite :) Have a nice day :)