[CVE-2023-30177] Stored - Cross Site Script (XSS)
CraftCMS
Exploit Author: Dat Nguyen aka datnlq of VietSunshine Cyber Security Services
Vendor of Product: CraftCMS
Affected Product Code Base: 3.7.59
CVE: CVE-2023-30177
Description: CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.
Steps to reproduce:
Create new Field (Settings -> Fields -> New Field) with type of Field Type is Assets
Create new Volume (Settings -> Assets -> Volumes -> New Volume), inject malicious javascript code into Name Field and setting Field created at step 1 to Content.
Create new Global set (Settings -> Globals -> New Global set). At Field Layout, create New Tab and add field that created at Step 1
Go to Globals -> Click Global set created at Step 3 -> Choose 'Upload files' and upload arbitrary file to server
Double click on the uploaded file at step 4, XSS will be executed
Last updated