header-logo
Suggest Exploit
vendor:
October CMS User Plugin
by:
0xB9
6.1
CVSS
MEDIUM
Persistent Cross-Site Scripting
79
CWE
Product Name: October CMS User Plugin
Affected Version From: 1.4.2005
Affected Version To: 1.4.2005
Patch Exists: YES
Related CWE: CVE-2018-10366
CPE: a:october:october_cms_user_plugin:1.4.5
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu 17.10
2018

October CMS User Plugin v1.4.5 – Persistent Cross-Site Scripting

Persistent XSS- Go to the account page localhost/OctoberCMS/account/- Register & enter the following for your full name <p "'"><SCRIPT>alert("XSS")</SCRIPT>">- You will be alerted everytime you visit the account page localhost/OctoberCMS/account/

Mitigation:

Update to 1.4.6
Source

Exploit-DB raw data:

# Exploit Title: October CMS User Plugin v1.4.5 - Persistent Cross-Site Scripting
# Date: 2018-04-03
# Author: 0xB9
# Software Link: https://octobercms.com/plugin/rainlab-user
# Version: 1.4.5
# Tested on: Ubuntu 17.10
# CVE: CVE-2018-10366

#1. Description:
Front-end user management for October CMS. Allows visitors to create a website.

#2. Proof of Concept:

Persistent XSS
- Go to the account page localhost/OctoberCMS/account/
- Register & enter the following for your full name <p """><SCRIPT>alert("XSS")</SCRIPT>">
- You will be alerted everytime you visit the account page localhost/OctoberCMS/account/

#3. Solution:
Update to 1.4.6

Navigation

Suggest Exploit

Services By CQR