Recently got a CVE for revealing a vulnerability, which I found in one of the open-source Content Management Systems .

October CMS is an open-source CMS built on Laravel PHP platform.It's simple and user-friendly.

This CMS has an easy-to-use user interface. Users are given the option to update their profile with an option to upload a profile picture for the account.

Now, the interesting part is this :

After you upload the image , you can give any desired name for your image and additionally , provide some description for the same. This space provided for caption , executes JavaScript. It was vulnerable to XSS( Cross-Site Scripting - Stored XSS ).

Severity :

After we logout of this account and , if we try to visit this user profile as admin ( i.e , with all the previliges ) , the JavaScript pops up . This is so simple , but is clearly showing privilege escalation.

Scenario :

Taking the vulnerabilty into consideration , an attacker can embed a JavaScript good enough to grab admin credentials . In this case , there was a pop up which made it cear that the script was running when the user account was opened by admin.

Suppose that , there is no pop up , and there is a malicious script embedded , then , whenever another user opens this account , all the details will be available to the attacker , without even the user being aware of it. If there are thousands of users , then this vulnerability can cause catastophic effects . This issue has been reported to the vendor and it has been assigned CVE identifier : CVE-2015-5612.

The payload I used :

<svg onload = alert(document.cookie)>

( Pops up the cookie )

Special thanks to Anirudh Anand ( lucif3r) for all his support and mentoring .

Heartfelt thanks to Team bi0s and Vipin Pavithran sir for everything !

#CVE #Abhishek #JM #StoredXSS #XSS #Teambi0s