Cross-site Scripting (XSS) - Stored in mineweb/minewebcms
Valid
Reported on
Feb 20th 2022
Description
Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
Proof of Concept
Steps to Reproduce:-
=> Install the WebApp and Setup it
=> Login in to webAPP using Admin Creds.
=> Navigate to "http://localhost/MineWebCMS-1.15.2/admin/navbar"
=> Add/Edit a Link Select "Drop-Down Menu"
=> "Link Name" and "URL" Both Input are Vulnerable to Exploit Simple XSS
=> Payload : <script>alert(1);</script>
=> XSS will trigger on "http://localhost/MineWebCMS-1.15.2/" Aka WebApp HOME Page
Note : As you can see this simple payload working in those two inputs as normally . Whole WebApp Admin Input Structure is allow to do HTML Injection or XSS Injection
Here i attach two ScreenShot for Easy UnderStand
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.
References
We are processing your report and will contact the
mineweb/minewebcms
team within 24 hours.
2 years ago
A
GitHub Issue
asking the maintainers to create a
SECURITY.md exists
2 years ago
We have contacted a member of the
mineweb/minewebcms
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
mineweb/minewebcms
team.
We will try again in 7 days.
2 years ago
We have sent a
second
follow up to the
mineweb/minewebcms
team.
We will try again in 10 days.
2 years ago
@admin @maintainer can you assign CVE ID if it’s possible for this report
Sure, we can help you out with this. Firstly, we do require the go-ahead from the maintainer before we publish the CVE.
@maintainer - are you happy for us to assign and publish a CVE for this report?
to join this conversation