Skip to content

Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field

Notifications You must be signed in to change notification settings

paragbagul111/CVE-2024-48652

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 

Repository files navigation

CVE-2024-48652

Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field

Steps to Reproduce:

1.Open the URL: http://127.0.0.1/admin/dashboard

2.Log in using admin credentials.

3.Navigate to the "Settings" section.

4.Click on "Content Groups."

5.Choose the "Edit" option for a content group.

6.In the "Name" field, input the following XSS payload:

"><img src=x onload=alert(1)>

7.Save the changes. 8.Refresh the page or navigate to another section. 9.The XSS payload will trigger, and an alert with "1" will pop up.

Vulnerability Type :Cross Site Scripting (XSS)

Vendor of Product:Camaleon-Cms

Affected Product Code Base : camaleon-cms - 2.7.5

Affected Component :Camaleon CMS Settings - Content Group Name Field

Attack Type:Remote

Attack Vectors: The attack vector involves a logged-in admin user modifying the "Content Group" name field to include a malicious script. This script executes in the context of other users who view the affected content, leading to potential data theft or session hijacking.

Reference:

https://github.com/owen2345/camaleon-cms/blob/master/CHANGELOG.md

https://owasp.org/www-community/attacks/xss/

https://drive.google.com/drive/folders/1MdN4Nv0WKvD3oFANVsmBvWJtZslbYPAN?usp=sharing

About

Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published