monstra-cms/monstra

404 page have Stored XSS Vulnerability

Waterpaste opened this issue · 0 comments

Waterpaste commented

Stored-XSS reported #427(title section) &#435 (content section) &#436(title section)
I found another stored-XSS in 404page(name field),the Vulnerability source in monstra-3.0.4/plugins/box/pages/pages.admin.php.

Affected Version:

3.0.4 or before

Payload:
<a href="javascript:alert(/xss/)">xss</a>

Steps to replicate:

  1. Goto http://<your_site>/monstra/admin/index.php?id=pages
  2. Click Edit 404 page(http://<your_site>/monstra/admin/index.php?id=pages&action=edit_page&name=error404)
  3. Enter payload in title section and save
  4. Visit http://<your_site>/monstra/bilibili.php
  5. You will triage Javascript execution

Impacts:
A user with editor level privileges can make JavaScript code execution in admin's session.

Testing Environment:
PHP/5.5.38 + Apache/2.4.23