来源

关联漏洞

描述

Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field

介绍

# CVE-2024-48652
Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field

Steps to Reproduce:

1.Open the URL: http://127.0.0.1/admin/dashboard

2.Log in using admin credentials.

3.Navigate to the "Settings" section.

4.Click on "Content Groups."

5.Choose the "Edit" option for a content group.

6.In the "Name" field, input the following XSS payload:

```python
"><img src=x onload=alert(1)>
```
7.Save the changes.
8.Refresh the page or navigate to another section.
9.The XSS payload will trigger, and an alert with "1" will pop up.

Vulnerability Type :Cross Site Scripting (XSS)

Vendor of Product:Camaleon-Cms

Affected Product Code Base : camaleon-cms - 2.7.5

Affected Component :Camaleon CMS Settings - Content Group Name Field

Attack Type:Remote

Attack Vectors:
The attack vector involves a logged-in admin user modifying the "Content Group" name field to include a malicious script. This script executes in the context of other users who view the affected content, leading to potential data theft or session hijacking.

Reference:

https://github.com/owen2345/camaleon-cms/blob/master/CHANGELOG.md

https://owasp.org/www-community/attacks/xss/

https://drive.google.com/drive/folders/1MdN4Nv0WKvD3oFANVsmBvWJtZslbYPAN?usp=sharing

文件快照

 [4.0K]  /data/pocs/5d7fbfba749197d517019c6f41b0b9ff737d8024
├── [1.3K]  README.md
└── [ 95K]  xss_incamleon_cms.png

0 directories, 2 files

备注