#1459 new
Oscar

Exponent CMS 2.6.0 patch2 Stored Cross-Site Scripting Vulnerability

Reported by Oscar | January 24th, 2022 @ 04:38 PM

Bug description

Exponent CMS 2.6.0 patch2 allows an authenticated admin user to inject persistent javascript code inside the "Site/Organization Name,Site Title and Site Header" parameters while updating the site settings on http://127.0.0.1/exponentcms/administration/configure_site.

CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSSv3 Base Score: 4.8

Steps to reproduce

  1. Click on the Exponent logo located on the upper left corner.
  2. Go to 'Configure Website'.
  3. Update the 'Site Title' field (or any of the vulnerable fields "Site/Organization Name","Site Title" or "Site Header") with the following PoC.
    Exponent CMS" onmouseover=alert('xss')>
  4. If a user hover the mouse over the logo or visits the 'Configure Website' the XSS will be triggered.

Attached below are the links to the advisory and our responsible disclosure policy.

System Information

  • Version: Exponent CMS 2.6.0 patch2.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql

Comments and changes to this ticket

  • dleffler

    dleffler February 12th, 2022 @ 09:43 PM

    • Assigned user changed from “expNinja” to “dleffler”

    I think our approach has been that Admin users must be trusted. There's a lot of malicious stuff an Admin user can do.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket

Attachments

Pages