Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field# CVE-2024-48652
Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field
Steps to Reproduce:
1.Open the URL: http://127.0.0.1/admin/dashboard
2.Log in using admin credentials.
3.Navigate to the "Settings" section.
4.Click on "Content Groups."
5.Choose the "Edit" option for a content group.
6.In the "Name" field, input the following XSS payload:
```python
"><img src=x onload=alert(1)>
```
7.Save the changes.
8.Refresh the page or navigate to another section.
9.The XSS payload will trigger, and an alert with "1" will pop up.
Vulnerability Type :Cross Site Scripting (XSS)
Vendor of Product:Camaleon-Cms
Affected Product Code Base : camaleon-cms - 2.7.5
Affected Component :Camaleon CMS Settings - Content Group Name Field
Attack Type:Remote
Attack Vectors:
The attack vector involves a logged-in admin user modifying the "Content Group" name field to include a malicious script. This script executes in the context of other users who view the affected content, leading to potential data theft or session hijacking.
Reference:
https://github.com/owen2345/camaleon-cms/blob/master/CHANGELOG.md
https://owasp.org/www-community/attacks/xss/
https://drive.google.com/drive/folders/1MdN4Nv0WKvD3oFANVsmBvWJtZslbYPAN?usp=sharing
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view