-
-
Save boatpavaris/649e731b2398597634fbe423dcfd8485 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Suggested description] | |
Kentico Xperience 13.0.44 allows XSS via an XML document to the Media Libraries subsystem. | |
------------------------------------------ | |
[Vulnerability Type] | |
Cross Site Scripting (XSS) | |
------------------------------------------ | |
[Vendor of Product] | |
Kentico | |
------------------------------------------ | |
[Affected Product Code Base] | |
Kentico Xperience CMS - v13.0.44 | |
------------------------------------------ | |
[Affected Component] | |
Media libraries | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Code execution] | |
true | |
------------------------------------------ | |
> | |
> [Attack Vectors] | |
> Step:1 Go to Media libraries page | |
> Step:2 Create XML cross-site scripting file. | |
> Step:3 Upload XSS.xml to the Kentico Xperience CMS v13.0.44 | |
> Step:4 Interception for parameter viewing | |
> Step:5 Cross-site scripting will be saved in the system. | |
> Step:6 Successfully to save in the system. | |
> Step:7 XML Cross-site scripting file was saved in the system. | |
> Step:8 Try clicking the link file and successfully executing stored cross-site scripting. | |
> | |
> ------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
------------------------------------------ | |
[Discoverer] | |
Pavaris Jintanapramoth, Rattapon Jitprajong and Pornpwit Sookphoekee |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What payload did you used.??