18 lines
No EOL
840 B
Text
18 lines
No EOL
840 B
Text
# Exploit Title: b2evolution 6.11.6 - 'plugin name' Stored XSS
|
|
# Date: 09/02/2021
|
|
# Exploit Author: Soham Bakore, Nakul Ratti
|
|
# Vendor Homepage: https://b2evolution.net/
|
|
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
|
|
# Version: 6.11.6
|
|
# Tested on: latest version of Chrome, Firefox on Windows and Linux
|
|
# CVE : CVE-2020-22841
|
|
|
|
|
|
--------------------------Proof of Concept-----------------------
|
|
|
|
1. Login with an account having high privileges
|
|
2. Navigate to System -> Plugins and select any plugin
|
|
3. Change the plugin name and enter the following payload "><svg/onload=alert(123)> in the name parameter
|
|
4. Payload gets stored in the database
|
|
5. The payload gets executed after the victim checks the plugin page.
|
|
6. This vulnerability needs high privilege and can affect other users with similar privileges |