Skip to content

CVE-2022-24227 [Updated]: BoltWire v8.00 vulnerable to "Stored Cross-site Scripting (XSS)"

Notifications You must be signed in to change notification settings

Cyber-Wo0dy/CVE-2022-24227-updated

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 

Repository files navigation

CVE-2022-24227 [Updated] - BoltWire v8.00 - Stored Cross-site Scripting (XSS)

Description

CVE-2022-24227 [Updated]: In version 8.00 of BoltWire CMS, the First Name and Last Name fields on the member registration completion page are also vulnerable to stored cross-site scripting (XSS) attacks, just like version 7.10. This type of attack allows malicious scripts to be executed.

Fix Suggestion

Sanitize user entries in these fields.

Steps to Reproduce:

1) Create a new member. step 1

2) On the next page, you will be asked to enter the new member’s First Name, Last Name and Country. Here, fill in First Name: and Last Name: with the following payloads:

First Name:

<script>alert(XSS)</script>

Last Name:

<script>alert(document.cookie)</script>

step 2

3) As a result, when the administrator goes to the “Members” page and tries to list recent members, the payloads will be triggered. step 2

4) To view other users' passwords, simply change the “admin” parameter in the URL provided above to another user's name, for example member.user.

Reference

About

CVE-2022-24227 [Updated]: BoltWire v8.00 vulnerable to "Stored Cross-site Scripting (XSS)"

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published