Cross-site Scripting (XSS) - Stored in mineweb/minewebcms
Feb 20th 2022
Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
Proof of Concept
Steps to Reproduce:- => Install the WebApp and Setup it => Login in to webAPP using Admin Creds. => Navigate to "http://localhost/MineWebCMS-1.15.2/admin/navbar" => Add/Edit a Link Select "Drop-Down Menu" => "Link Name" and "URL" Both Input are Vulnerable to Exploit Simple XSS => Payload : <script>alert(1);</script> => XSS will trigger on "http://localhost/MineWebCMS-1.15.2/" Aka WebApp HOME Page Note : As you can see this simple payload working in those two inputs as normally . Whole WebApp Admin Input Structure is allow to do HTML Injection or XSS Injection
Here i attach two ScreenShot for Easy UnderStand
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.
@admin @maintainer can you assign CVE ID if it’s possible for this report
Sure, we can help you out with this. Firstly, we do require the go-ahead from the maintainer before we publish the CVE.
@maintainer - are you happy for us to assign and publish a CVE for this report?
Sorry for the late, i did'nt see the message, yes you can
@admin please assign one