关联漏洞
标题:
Zenario CMS 跨站脚本漏洞
(CVE-2023-44771)
描述:Zenario CMS是Zenario开源的一个应用软件。提供一个基于Web的内容管理系统。 Zenario CMS v.9.4.59197版本存在跨站脚本漏洞,该漏洞源于存在跨站脚本(XSS)漏洞。攻击者可利用该漏洞过设计Page Layout有效负载执行任意代码。
描述
Zenariocms 9.4.59197 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload to the Page Layout
介绍
# ZenarioCMS Stored XSS v.9.4.59197
## Author: (Sergio)
**Description:** Cross Site Scripting vulnerability in ZenarioCMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Page Layout.
**Attack Vectors:** Scripting a vulnerability in the sanitization of the entry in the Page Layout allows injecting JavaScript code that will be executed when the user accesses the web page.
---
### POC:
When logging into the panel, we will go to the "Layout - Page Layout off the Administration Menu.
We click on Edit Layout and add the following payload:
### XSS Payload:
```js
<img src=x:alert(alt) onerror=eval(src) alt='XSS Page Layout'>
```
In the following image you can see the embedded code that executes the payload in the main web.
</br>
### Additional Information:
https://zenar.io/
https://owasp.org/Top10/es/A03_2021-Injection/
文件快照
[4.0K] /data/pocs/4ece1b7fa92eb96ead83cdf3a03b557c9d679fae
└── [1.2K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。