b2evolution 6.11.6 - 'tab3' Reflected XSS

vendor:

b2evolution

by:

Nakul Ratti, Soham Bakore

6.1

CVSS

MEDIUM

Reflected XSS

CWE

Product Name: b2evolution

Affected Version From: 6.11.6

Affected Version To: 6.11.6

Patch Exists: YES

Related CWE: CVE-2020-22839

CPE: 2.3:a:b2evolution:b2evolution:6.11.6

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Chrome, Firefox on Windows and Linux

2021

b2evolution 6.11.6 – ‘tab3’ Reflected XSS

Send the following URL http://HOST/evoadm.php?.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1 to the logged in victim using any social engineering technique. When an unsuspecting user with high privileges opens this URL, XSS will be triggered which will execute the malicious javascript payload in users browser. The vulnerable parameter in this case is “tab3”.

Mitigation:

Input validation and output encoding should be used to prevent XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: b2evolution 6.11.6 - 'tab3' Reflected XSS
# CVE: CVE-2020-22839
# Date: 10/02/2021
# Exploit Author: Nakul Ratti, Soham Bakore
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux

--------------------------Proof of Concept-----------------------

Steps to Reproduce:

1. Send the following URL http://HOST/evoadm.php?.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1 to the logged in victim using any social engineering technique.
2. When an unsuspecting user with high privileges opens this URL, XSS will be triggered  which will execute the malicious javascript payload in users browser.
3. The vulnerable parameter in this case is “tab3”.