Luxor Forums - White Hat & Community Forums
OctoberCMS User Plugin 1.4.5 - Cross-Site Scripting
#1
# Exploit Title: OctoberCMS User Plugin v1.4.5 - Persistent Cross-Site Scripting
# Date: 2018-04-03
# Author: 0xB9
# Software Link: https://octobercms.com/plugin/rainlab-user
# Version: 1.4.5
# Tested on: Ubuntu 17.10
# CVE: CVE-2018-10366


1. Description:
Front-end user management for October CMS. Allows visitors to create a account.


2. Proof of Concept:
  1. Go to the account page localhost/OctoberCMS/account/
  2. Register & enter the following for your full name
    Code:
    <p """><SCRIPT>alert("XSS")</SCRIPT>">
  3. You will be alerted everytime you visit the account page localhost/OctoberCMS/account/


3. Solution:
Update to 1.4.6

Patch: https://github.com/rainlab/user-plugin/c...de42941d20



[Exploit-DB.com...]
Possibly Related Threads...
Thread
Author
  /  
Last Post