CMU CERT/CC VINCE 2.0.6 - Stored XSS

vendor:

VINCE

by:

Gjoko 'LiquidWorm' Krstic

6.1

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: VINCE

Affected Version From: 1

Affected Version To: 2.0.6

Patch Exists: NO

Related CWE:

CPE: a:cmu:vince:2.0.6

Metasploit:

Other Scripts:

Platforms Tested: nginx, Django

2023

CMU CERT/CC VINCE 2.0.6 – Stored XSS

CMU CERT/CC VINCE 2.0.6 web platform is prone to a stored cross-site scripting vulnerability. Attackers can inject arbitrary HTML/JS code through the 'content' POST parameter, which is not properly sanitized. This allows malicious code execution in the context of the affected user's browser session.

Mitigation:

To mitigate this vulnerability, input validation and output encoding should be implemented to sanitize user inputs and prevent the execution of malicious scripts.

Source

Exploit-DB raw data:

# Exploit Tile: CMU CERT/CC VINCE 2.0.6 - Stored XSS
# Vendor: Carnegie Mellon University
# Product web page: https://www.kb.cert.org/vince/
# Affected version: <=2.0.6

Summary: VINCE is the Vulnerability Information and Coordination
Environment developed and used by the CERT Coordination Center
to improve coordinated vulnerability disclosure. VINCE is a
Python-based web platform.

Desc: The framework suffers from an authenticated stored
cross-site scripting vulnerability. Input passed to the
'content' POST parameter is not properly sanitised before
being returned to the user. This can be exploited to execute
arbitrary HTML/JS code in a user's browser session in context
of an affected site.

Tested on: nginx/1.20.0
           Django 3.2.17


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5917
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5917.php


13.01.2023

--


$ curl -k https://kb.cert.org/vince/comm/post/CASE_NO \
> -H "Cookie: sessionid=xxxx" \
> -d 'content="><marquee>ZSL</marquee>%0A%0A&csrfmiddlewaretoken=xxx&paginate_by=10&reply_to=xxxxx'