A stored XSS was found in mc-admin/post-edit.php.

Question

A stored XSS was found in mc-admin/post-edit.php.

HACHp1 opened this issue 5 years ago · 0 comments

A stored XSS was found in mc-admin/post-edit.php.This vulnerability is similar to CVE-2018-10296 but at a different place.
POC:
Firstly,enter the /MiniCMS/mc-admin/post-edit.php page and write the payload” <script>alert(document.domain)</script>” into the tags box:

Save it,then return to the main page to go to the archive page:

Then you get the window popped with the domain: