b2evolution 6.11.6 - 'plugin name' Stored XSS

vendor:

b2evolution

by:

Soham Bakore, Nakul Ratti

4.8

CVSS

MEDIUM

Stored XSS

CWE

Product Name: b2evolution

Affected Version From: 6.11.6

Affected Version To: 6.11.6

Patch Exists: YES

Related CWE: CVE-2020-22841

CPE: 2.3:a:b2evolution:b2evolution:6.11.6

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Chrome, Firefox on Windows and Linux

2021

b2evolution 6.11.6 – ‘plugin name’ Stored XSS

Login with an account having high privileges, navigate to System -> Plugins and select any plugin, change the plugin name and enter the following payload '><svg/onload=alert(123)> in the name parameter, payload gets stored in the database, the payload gets executed after the victim checks the plugin page, this vulnerability needs high privilege and can affect other users with similar privileges.

Mitigation:

Ensure that user input is properly sanitized and validated before being stored in the database.

Source

Exploit-DB raw data:

# Exploit Title: b2evolution 6.11.6 - 'plugin name' Stored XSS
# Date: 09/02/2021
# Exploit Author: Soham Bakore, Nakul Ratti
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux
# CVE : CVE-2020-22841


--------------------------Proof of Concept-----------------------

1. Login with an account having high privileges  
2. Navigate to System -> Plugins and select any plugin
3. Change the plugin name and enter the following payload  "><svg/onload=alert(123)> in the name parameter
4. Payload gets stored in the database
5. The payload gets executed after the victim checks the plugin page.
6. This vulnerability needs high privilege and can affect other users with similar privileges