BlogMagz 1.0 - Stored XSS

Our sensors found this exploit at:

Below is a copy:

BlogMagz 1.0 - Stored XSS
Author   : CraCkEr                                             
Website  : -
Vendor   : Tech Robot                                          
Software : BlogMagz CMS 1.0                                    
Vuln Type: Stored XSS                                          
Impact   : Manipulate the content of the site                  

Release Notes:                                                                      

The attacker can send to victim a link containing a malicious URL in an email or    
instant message can perform a wide variety of actions, such as stealing the victim's
session token or login credentials   


The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL
CryptoJob (Twitter)

## Reflected XSS (RXSS)

Path: /search
GET Parameter 'q' is Vulnerable to Reflected XSS (RXSS)


## Stored XSS

POST /blogmagz/ajax/article/add-comment HTTP/2
post_id=8&comment=[XSS Payload]

## Steps to Reproduce:

1. Login in Any Normal User Mode
2. Comment On Any Post with Your [XSS Payload]

3. When Admin Visit the Admin Panel The XSS Will Fire On his Browser
4. When the Admin will Visit https://website/blogmagz/admin/pending-comments
5. The XSS Will Fire Again on his Browser

[-] Done

 CraCkEr 2023

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.