Summary
While testing InstantCMS {https://demo.instantcms.io - As this help us to test the dashboard online without installing it locally}, I was able to find that in photo upload function in the photo album page there is no input validation taking place, Due to this we were able to inject the XSS (Cross Site Scripting) payload and execute. Cross site scripting refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is among the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
Details
Affected Component : https://demo.instantcms.io/photos/camera-{payload}
Steps to Reproduce:
1.Log in to https://demo.instantcms.io as an demo user
2. Visit https://demo.instantcms.io/photos/upload .
3.Upload the image with the embedded payload test <img src="asd" onerror="alert(1)"> in the Camera Model Name meta data filed.
5.Visit the https://demo.instantcms.io/photos/camera-{payload}
6.Example: https://demo.instantcms.io/photos/camera-Amal_Test%3Cimg+src=%22asd%22+onerror=%22alert(1)%22%3E
8.you will observe the immediate execution of the XSS payload.
Patch
e02de2f
Impact
An attacker can use this high severity vulnerability to execute malicious JavaScript aimed to steal cookies, redirect users, perform arbitrary actions on the victim's behalf, logging their keystroke and more. The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for users to encounter it. XSS can be used to deface the website.
Amal264882 Reporter
Summary
While testing InstantCMS {https://demo.instantcms.io - As this help us to test the dashboard online without installing it locally}, I was able to find that in photo upload function in the photo album page there is no input validation taking place, Due to this we were able to inject the XSS (Cross Site Scripting) payload and execute. Cross site scripting refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is among the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
Details
1.Log in to https://demo.instantcms.io as an demo user
2. Visit https://demo.instantcms.io/photos/upload .
3.Upload the image with the embedded payload test
<img src="asd" onerror="alert(1)">in the Camera Model Name meta data filed.5.Visit the https://demo.instantcms.io/photos/camera-{payload}
6.Example: https://demo.instantcms.io/photos/camera-Amal_Test%3Cimg+src=%22asd%22+onerror=%22alert(1)%22%3E
8.you will observe the immediate execution of the XSS payload.
Patch
e02de2f
Impact
An attacker can use this high severity vulnerability to execute malicious JavaScript aimed to steal cookies, redirect users, perform arbitrary actions on the victim's behalf, logging their keystroke and more. The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for users to encounter it. XSS can be used to deface the website.