Exponent CMS 2.6.0 patch2 - Stored XSS

Summary

NameExponent CMS 2.6.0 patch2 - Stored XSS
Code nameFranklin
ProductExponent CMS
Affected versionsv2.6.0 patch2
StatePublic
Release Date2022-02-03

Vulnerability

KindStored cross-site scripting (XSS)
Rule010. Stored cross-site scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score4.8
Exploit availableNo
CVE ID(s)CVE-2022-23047

Description

Exponent CMS 2.6.0 patch2 allows an authenticated admin user to inject persistent javascript code inside the Site/Organization Name,Site Title and Site Header parameters while updating the site settings on http://127.0.0.1/exponentcms/administration/configure_site.

Proof of Concept

  1. Click on the Exponent logo located on the upper left corner.

  2. Go to 'Configure Website'.

  3. Update the 'Site Title' field or any of the vulnerable fields with the following PoC.

    Exponent CMS" onmouseover=alert('xss')>
    
  4. If a user hover the mouse over the logo or visits the 'Configure Website' the XSS will be triggered.

System Information:

  • Version: Exponent CMS 2.6.0 patch2.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

By 2022-02-03 there is not a patch resolving the issue.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://www.exponentcms.org/

Ticket https://exponentcms.lighthouseapp.com/projects/61783/tickets/1459

Issue https://github.com/exponentcms/exponent-cms/issues/1546

Timeline

Time-lapse-logo

2022-01-24

Vulnerability discovered.

Time-lapse-logo

2022-01-24

Vendor contacted.

Time-lapse-logo

2022-02-03

Public Disclosure.