44 lines
No EOL
1.4 KiB
Text
44 lines
No EOL
1.4 KiB
Text
# Exploit Title: OctoberCMS 1.0.425 (aka Build 425) Stored XSS
|
|
# Vendor Homepage: https://octobercms.com/
|
|
# Software Link: https://octobercms.com/download
|
|
# Exploit Author: Ishaq Mohammed ( https://www.exploit-db.com/author/?a=9086)
|
|
# Contact: https://twitter.com/security_prince
|
|
# Website: https://about.me/security-prince
|
|
# Category: webapps
|
|
# CVE: CVE-2017-15284
|
|
|
|
1. Description
|
|
|
|
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing
|
|
a least privileged user to upload an SVG file containing malicious code as
|
|
the Avatar for the profile. When this is opened by the Admin, it causes
|
|
JavaScript execution in the context of the Admin account.
|
|
|
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15284
|
|
|
|
2. Proof of Concept
|
|
|
|
Steps to Reproduce:
|
|
|
|
- Login using a normal user and click on my account.
|
|
- Click on the avatar.
|
|
- Upload the malicious .svg file which contains the javascript
|
|
- Click on save.
|
|
- Login in another browser with Admin Credentials.
|
|
- Click on Settings > Administrators.
|
|
- Select the normal user's avatar and click on Attachment URL.
|
|
|
|
3. Reference
|
|
|
|
https://securityprince.blogspot.fr/2017/10/cve-2017-15284-octobercms-10425-build.html
|
|
https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2
|
|
|
|
4. Solution
|
|
|
|
The vulnerability will be patched by the vendor in the next release of
|
|
OctoberCMS.
|
|
|
|
--
|
|
Best Regards,
|
|
Ishaq Mohammed
|
|
https://about.me/security-prince |