Description: Cross Site Scripting vulnerability in ZenarioCMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias.
Attack Vectors: Scripting a vulnerability in the sanitization of the entry in the Spare Aliases allows injecting JavaScript code that will be executed when the user accesses the web page.
When logging into the panel, we will go to the "Menu node properties - Select content item" off the Administration Menu.
We select an alias and click on Edit content item:
And now in Edit alias:
We add the payload in the Spare aliases field and we will have the XSS reflected pop-up.
<><img src=1 onerror=alert('Spare')>
We can also access the alias panel from the Edit Layout of the administration panel.
And add the payload:
