vendor:
BlackCat CMS
by:
Ömer Hasan Durmuş
8.8
CVSS
HIGH
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: BlackCat CMS
Affected Version From: 1.3.6
Affected Version To: 1.3.6
Patch Exists: NO
Related CWE: N/A
CPE: a:blackcat-cms:blackcat_cms
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: N/A
2021
BlackCat CMS 1.3.6 – ‘Multiple’ Stored Cross-Site Scripting (XSS)
BlackCat CMS 1.3.6 is vulnerable to multiple stored cross-site scripting (XSS) attacks. An attacker can exploit this vulnerability by logging into the admin account in http://TARGET/backend/start/index.php, clicking on the 'Addons' and 'Create new' options, and inputting malicious JavaScript code in the 'Module / language name' field. The attacker can also exploit this vulnerability by logging into the admin account in http://TARGET/backend/start/index.php, clicking on the 'Access' and 'Manage groups' options, and inputting malicious JavaScript code in the 'Group name' field and clicking 'Add group'. Upon successful exploitation, the malicious JavaScript code will be executed in the browser of the victim.
Mitigation:
To mitigate this vulnerability, users should ensure that all input is properly sanitized and validated before being stored and displayed.
