This repository documents a Cross-Site Scripting (XSS) vulnerability discovered in RiteCMS v3.0.0, which I reported and was assigned the CVE ID CVE-2024-28623.
- CVE ID: CVE-2024-28623
- Product: RiteCMS
- Version Affected: v3.0.0
- Vulnerability Type: Reflected Cross-Site Scripting (XSS)
- Vulnerable Component:
main_menu/edit_section - Status: Publicly disclosed on NVD
The XSS vulnerability allows an attacker to execute arbitrary JavaScript in the victimβs browser, leading to:
- Credential or session token theft
- Phishing attacks via fake forms or redirects
- Full control over the victimβs session (browser-based)
- Potential privilege escalation (depending on context)
'"><svg/onload=confirm(/xsss/)>This payload demonstrates a basic reflected XSS vector that triggers a JavaScript confirm() dialog when rendered unsanitized.
POC.1.mp4
β This video demonstrates how the XSS vulnerability in RiteCMS v3.0.0 is triggered using the payload.
- β Input Validation: Properly sanitize and encode all user input rendered in HTML.
- β Patch CMS: Upgrade to a patched version when available.
- β Security Headers: Implement CSP (Content Security Policy) to restrict script execution.
- β WAF: Use a Web Application Firewall to detect and block common XSS payloads.
Discovered & Reported By: @GURJOTEXPERT
CVE Link: CVE-2024-28623
Contact: For questions or collaboration, open an issue or message via GitHub.
This repository is published for educational and research purposes only. Do not attempt to exploit this vulnerability on systems you do not own or have explicit permission to test.