Headline
CVE-2023-43342: GitHub - sromanhu/CVE-2023-43342-Quick-CMS-Stored-XSS---Languages-Frontend: Quick CMS 6.7 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Languages Menu component.
Quick CMS Stored XSS v6.7****Author: (Sergio)
Description: A Cross-Site Scripting (XSS) vulnerability in Quick CMS v6.7 allows a local attacker to execute arbitrary code via a crafted script to the to the Front and back end - Pages in the Languages Menu.
Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Pages of “Languages- Front and back end” allows injecting JavaScript code that will be executed when the user accesses the web page.
POC:
When logging into the panel, we will go to the “Languages - Front and back end .” section off General Menu.
We edit that Front and back end Settings and see that we can inject arbitrary Javascript code in the Pages field.
XSS Payload:
'"><svg/onload=alert(‘Pages’)>
In the following image you can see the embedded code that executes the payload in the main web.
Additional Information:
https://opensolution.org/cms-system-quick-cms.html
https://owasp.org/Top10/es/A03_2021-Injection/