Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-20523: XSS on Gila CMS Installation · Issue #41 · GilaCMS/gila

Cross Site Scripting (XSS) vulnerability in adm_user parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary code during the Gila CMS installation.

CVE
Open in Source
#sql#xss#vulnerability#web#php

XSS on Gila CMS Installation

Gila CMS version 1.11.3

1: Admin Username

<input name="adm_user" placeholder="Your Name" required="">

adm_user

/install/install.sql.php

$_user=$_POST['adm_user'];
$_email=$_POST['adm_email'];
$_pass=password_hash($_POST['adm_pass'], PASSWORD_BCRYPT);

$link->query("INSERT INTO userrole(id,userrole) VALUES(1,'Admin');");
$link->query("INSERT INTO user(id,username,email,pass,active,reset_code) VALUES(1,'$_user','$_email','$_pass',1,'');");

2:Login in admin pane

XSS

Visit the website

3:Reference

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Related news

GHSA-rvjp-j5j4-c9j5: Gila CMS Cross-site Scripting Vulnerability

Cross Site Scripting (XSS) vulnerability in `adm_user` parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary code during the Gila CMS installation.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE