[ CVE ] CVE-2015-5612 : Stored XSS in October CMS
Recently got a CVE for revealing a vulnerability, which I found in one of the open-source Content Management Systems .
October CMS is an open-source CMS built on Laravel PHP platform.It's simple and user-friendly.
This CMS has an easy-to-use user interface. Users are given the option to update their profile with an option to upload a profile picture for the account.
Now, the interesting part is this :
After you upload the image , you can give any desired name for your image and additionally , provide some description for the same. This space provided for caption , executes JavaScript. It was vulnerable to XSS( Cross-Site Scripting - Stored XSS ).
Severity :
After we logout of this account and , if we try to visit this user profile as admin ( i.e , with all the previliges ) , the JavaScript pops up . This is so simple , but is clearly showing privilege escalation.
Scenario :
Taking the vulnerabilty into consideration , an attacker can embed a JavaScript good enough to grab admin credentials . In this case , there was a pop up which made it cear that the script was running when the user account was opened by admin.
Suppose that , there is no pop up , and there is a malicious script embedded , then , whenever another user opens this account , all the details will be available to the attacker , without even the user being aware of it. If there are thousands of users , then this vulnerability can cause catastophic effects . This issue has been reported to the vendor and it has been assigned CVE identifier : CVE-2015-5612.
The payload I used :
<svg onload = alert(document.cookie)>
( Pops up the cookie )
Special thanks to Anirudh Anand ( lucif3r) for all his support and mentoring .
Heartfelt thanks to Team bi0s and Vipin Pavithran sir for everything !