Headline
CVE-2020-24223: CVE/Mara CMS 7.5 - Cross Site Scripting at master · FreySolarEye/CVE
Mara CMS 7.5 allows cross-site scripting (XSS) in contact.php via the theme or pagetheme parameters.
============================================================================================================================
| # Title : Mara CMS 7.5 Cross Site Scriping |
| # Author : George Tsimpidas |
| # Tested on : Kali Linux (X64) | |
| # Vendor : https://sourceforge.net/projects/maracms/ |
| # CVE : CVE-2020-24223 |
============================================================================================================================
Mara CMS 7.5 suffers from a Reflected Cross Site Scripting vulnerability.
Description :
This Reflected XSS vulnerability allows any authenticated user to
inject malicious code via the parameter contact.php?theme=<inject>.
The vulnerability exists because the parameter is not properly
sanitized and this can lead to malicious code injection that will be
executed on the target’s browser.
PoC
[+] Use Payload : seven69387’;alert(1)//154
Path : http://localhost/contact.php?theme=< inject payload here>
Full Path :
http://localhost/contact.php?theme=seven69387’;alert(1)//154