Headline
News247 News Magazine 1.0 Cross Site Scripting
News247 News Magazine version 1.0 suffers from a persistent cross site scripting vulnerability.
# Exploit Title: News247 - News Magazine (CMS) v1.0 – Stored Cross Site Scripting (XSS) # Exploit Author: Ravinder Verma # Date: Septmeber 14, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/14952/news247-news-magazine-php-script.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/news247.zip # Tested on: Kali Linux, Apache, Mysql # Vendor: 255programmer # Version: v1.0 # CVE [Reserved] : CVE-2021-41731 # Exploit Description:# News247 - News Magazine (CMS) v1.0 suffers from a stored cross sitescripting (XSS) Vulnerability. Admin can publish blogs under variouscategories. When creating new "blog category", if admin give maliciouspayload like *""><img src=x onerror=alert(document.cookie)>* into thecategory name field and publish that blog. Then it allows you to executearbitrary JavaScript in the context of the whole user who visited thatpage. It can be abused to steal session cookies, perform requests in thename of the victim or for phishing attacks.
Related news
CVE-2021-41731: News247 News Magazine 1.0 Cross Site Scripting ≈ Packet Storm
Cross Site Scripting (XSS vulnerability exists in )Sourcecodester News247 News Magazine (CMS) PHP 5.6 or higher and MySQL 5.7 or higher via the blog category name field