Description: Pixelimity CMS is prone to a Persistent Cross-Site Scripting attack that allows a malicious user to inject HTML or scripts that can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.
Advisory Details:
A Cross-Site Scripting (XSS) was discovered in “portfolio latest version”, which can be exploited to execute arbitrary code.
The vulnerability exist due to insufficient filtration of user-supplied data in the “data%5Bsite_name%5D” HTTP POST parameter passed to the “/admin/setting.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox:
Proof of concept:
1、Login as admin.
2、Locate URL - http://127.0.0.39/pixelimity/admin/portfolio.php and click on "Setting"
3、Put XSS payload in the "data%5Bsite_name%5D" parameter Pixelimity"><script>alert(1)</script> and click on "Save Setting"
The text was updated successfully, but these errors were encountered:
Product: pixelimity
Download: https://github.com/pixelimity/pixelimity/
Vunlerable Version: latest version
Tested Version: latest version
Author:qianxiao996
Description: Pixelimity CMS is prone to a Persistent Cross-Site Scripting attack that allows a malicious user to inject HTML or scripts that can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.
Advisory Details:



A Cross-Site Scripting (XSS) was discovered in “portfolio latest version”, which can be exploited to execute arbitrary code.
The vulnerability exist due to insufficient filtration of user-supplied data in the “data%5Bsite_name%5D” HTTP POST parameter passed to the “/admin/setting.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox:
Proof of concept:
1、Login as admin.
2、Locate URL - http://127.0.0.39/pixelimity/admin/portfolio.php and click on "Setting"
3、Put XSS payload in the "data%5Bsite_name%5D" parameter Pixelimity"><script>alert(1)</script> and click on "Save Setting"
The text was updated successfully, but these errors were encountered: