Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-43343: GitHub - sromanhu/CVE-2023-43343-Quick-CMS-Stored-XSS---Pages-Files: Quick CMS 6.7 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a craft

Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Files - Description parameter in the Pages Menu component.

CVE
Open in Source
#xss#vulnerability#web#git#java#auth

Quick CMS Stored XSS v6.7****Author: (Sergio)

Description: Multiple Cross-Site Scripting (XSS) vulnerabilities in Quick CMS v6.7 allows a local attacker to execute arbitrary code via a crafted script to the to the Files - Description in the Pages Menu.

Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Description of “Pages- Files Menu” allows injecting JavaScript code that will be executed when the user accesses the web page.

POC:

When logging into the panel, we will go to the “Pages - Files .” section off General Menu.

We edit that Description Settings and see that we can inject arbitrary Javascript code in the Desription field.

XSS Payload:

'"><svg/onload=alert(‘Description’)>

In the following image you can see the embedded code that executes the payload in the main web.

Additional Information:

https://opensolution.org/cms-system-quick-cms.html

https://owasp.org/Top10/es/A03_2021-Injection/

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE