Cross-Site Scripting Vulnerability (XSS) found on Jaws 1.6.0 CMS

[security-breachlock]

Description: The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Vulnerability Name: Persistent XSS

Vulnerable URL: http://localhost/jaws-master/jaws-master/admin.php?gadget=Blocks

Discovered by BreachLock

Website: https://www.breachlock.com

Author: Rahul Kumar Rai

Proof of concept : Step: 1 Login to the account as an admin. Select the gadgets “Blocks”. Then enter the XSS payload in the “Title” and “Contents” field. After that click on the “Save” button.

Step: 2 After saving click on the “Preview” button. Then our XSS payload got executed for field “Title” and “Contents”.

[afz]

Hi, This area protected by administrative permissions, and entering JavaScript is permitted