Exponent CMS 2.6.0 patch2 - Stored XSS
Summary
| Name | Exponent CMS 2.6.0 patch2 - Stored XSS |
| Code name | |
| Product | Exponent CMS |
| Affected versions | v2.6.0 patch2 |
| State | Public |
| Release date | 2022-02-03 |
Vulnerability
| Kind | Stored cross-site scripting (XSS) |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
| CVSSv3.1 Base Score | 4.8 |
| Exploit available | No |
| CVE ID(s) |
Description
Exponent CMS 2.6.0 patch2 allows an authenticated admin user to inject persistent javascript code inside the Site/Organization Name,Site Title and Site Header parameters while updating the site settings on http://127.0.0.1/exponentcms/administration/configure_site.
Proof of Concept
-
Click on the Exponent logo located on the upper left corner.
-
Go to 'Configure Website'.
-
Update the 'Site Title' field or any of the vulnerable fields with the following PoC.
Exponent CMS" onmouseover=alert('xss')> -
If a user hover the mouse over the logo or visits the 'Configure Website' the XSS will be triggered.
System Information:
- Version: Exponent CMS 2.6.0 patch2.
- Operating System: Linux.
- Web Server: Apache
- PHP Version: 7.4
- Database and version: Mysql
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-02-03 there is not a patch resolving the issue.
Credits
The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.
References
Vendor page https://www.exponentcms.org/
Ticket https://exponentcms.lighthouseapp.com/projects/61783/tickets/1459
Issue https://github.com/exponentcms/exponent-cms/issues/1546
Timeline
2022-01-24
Vulnerability discovered.
2022-01-24
Vendor contacted.
2022-02-03
Public Disclosure.
