Cross-site Scripting (XSS) - Stored in mineweb/minewebcms


Reported on

Sep 14th 2021


A malicious actor is able to add a malicious payload as a new Page Title, and after every time any administrative user visits the /admin/pages route, the XSS payload is executed.

Proof of Concept

1;Create a new Page at the following route: /admin/pages/add. Use the following payload as the Page title: <script>alert("This Is An XSS POC");</script>, save with arbitrary url and content.

2; Save the new Page, upon saving the XSS payload get executed already.

3; Now, each time any administrative user visits the Pages admin menu at the /admin/pages route, the XSS payload gets executed.


The danger of the stored XSS is that malicious actor is able to gather session identifiers from any other admin user, who happens to browse the pages menu. The malicious actor can thus impersonate any other admin and act as them. Upon receiving this information, the Confidentiality of sessions is compromised.

We created a GitHub Issue asking the maintainers to create a 2 years ago
nivcoo validated this vulnerability a year ago
PHoward has been awarded the disclosure bounty
The fix bounty is now up for grabs
nivcoo marked this as fixed in 1.15.1 with commit e45797 a year ago
nivcoo has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation