Autenticated Stored Cross-Site Scripting (XSS) in pluck-cms/pluck

Valid

Reported on

Mar 13th 2023

Description

Login to the admin account. Use the following URL (http://192.168.0.211/admin.php?action=files) or navigate to pages -> manage files.

Upload the XSS payload with “.html” extension.

Intercept the request with Burp Suite.

Modify the Content-Type to application/x-php and forward the request.

File uploaded successfully.

View the sample.html file with the lens icon next to the filename or uploaded file should be stored in (http://192.168.0.211/file/sample.html).

Observed that our XSS payload is executed successfully.

Admin credential is requried to upload this file. Once the file is uploaded we can able to access even without login.

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user Cookie theft leading to session hijacking, XSS keylogger(Able to log keystrokes), Make an arbitrary request on the users’ behalf, Redirect the users to the malicious site

We are processing your report and will contact the pluck-cms/pluck team within 24 hours. 2 months ago
Syed
2 months ago

Researcher

Note: This vulnerability is already informed to the concern development team and they fixed this issue on 4.7.16. Requesting for CVE for this finding.

Syed
2 months ago

Researcher

For confirmation please check the release notes of PluckCMS 4.7.16

We have contacted a member of the pluck-cms/pluck team and are waiting to hear back 2 months ago
pluck-cms/pluck maintainer modified the Severity from Medium (4.9) to Medium (4.2) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
pluck-cms/pluck maintainer validated this vulnerability 2 months ago
Syed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pluck-cms/pluck maintainer marked this as fixed in 4.7.16 with commit 11e3b0 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 20th 2023
pluck-cms/pluck maintainer published this vulnerability 2 months ago
pluck-cms/pluck maintainer gave praise 2 months ago
As discussed in the reporting email chain. Thanks for finding it and your retesting
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Syed
2 months ago

Researcher

Hi Team, Is this vulnerability is not capable to CVE's ?

to join this conversation