Skip to content

sromanhu/CVE-2023-44769_ZenarioCMS--Reflected-XSS---Alias

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

README.md

README.md

 
 

Repository files navigation

ZenarioCMS Reflected XSS v.9.4.59197

Author: (Sergio)

Description: Cross Site Scripting vulnerability in ZenarioCMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias.

Attack Vectors: Scripting a vulnerability in the sanitization of the entry in the Spare Aliases allows injecting JavaScript code that will be executed when the user accesses the web page.

POC:

When logging into the panel, we will go to the "Menu node properties - Select content item" off the Administration Menu.

image

We select an alias and click on Edit content item:

image

And now in Edit alias:

image

We add the payload in the Spare aliases field and we will have the XSS reflected pop-up.

XSS Payload:

<><img src=1 onerror=alert('Spare')>

image

We can also access the alias panel from the Edit Layout of the administration panel.

image

And add the payload:

image


Additional Information:

https://zenar.io/

https://owasp.org/Top10/es/A03_2021-Injection/

About

Zenariocms 9.4.59197 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload to the Spare aliases from Alias.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published