Description: Cross Site Scripting vulnerability in ZenarioCMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Page Layout.
Attack Vectors: Scripting a vulnerability in the sanitization of the entry in the Page Layout allows injecting JavaScript code that will be executed when the user accesses the web page.
When logging into the panel, we will go to the "Layout - Page Layout off the Administration Menu.
We click on Edit Layout and add the following payload:
<img src=x:alert(alt) onerror=eval(src) alt='XSS Page Layout'>
In the following image you can see the embedded code that executes the payload in the main web.