Exponent CMS 2.6.0 patch2 - Stored XSS (User-Agent)

Summary

NameExponent CMS 2.6.0 patch2 - Stored XSS (User-Agent)
Code nameCobain
ProductExponent CMS
Affected versionsv2.6.0 patch2
StatePublic
Release Date2022-02-03

Vulnerability

KindStored cross-site scripting (XSS)
Rule010. Stored cross-site scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score5.4
Exploit availableNo
CVE ID(s)CVE-2022-23049

Description

Exponent CMS 2.6.0 patch2 allows an authenticated user to inject persistent javascript code on the User-Agent when logging in. When an administratoruser visits the 'User Sessions' tab, the javascript will be triggered allowingan attacker to compromise the administrator session.

Proof of Concept

  1. Use a Web proxy or a tool to modify the browser User-agent with the following PoC.

    User-Agent: <script>alert('XSS')</script>
    
  2. Try to login with a non-admin user.

  3. If an admin user visits 'User Management' > 'User Sessions' the XSS will be triggered.

A non-admin user may compromise an admin session by exploiting this vulnerability.

System Information:

  • Version: Exponent CMS 2.6.0 patch2.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

By 2022-02-03 there is not a patch resolving the issue.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://www.exponentcms.org/

Ticket https://exponentcms.lighthouseapp.com/projects/61783/tickets/1461

Issue https://github.com/exponentcms/exponent-cms/issues/1546

Timeline

Time-lapse-logo

2022-01-25

Vulnerability discovered.

Time-lapse-logo

2022-01-25

Vendor contacted.

Time-lapse-logo

2022-02-03

Public Disclosure.