Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2023-44760 PoC — PortlandLabs Concrete CMS 跨站脚本漏洞

Source
https://github.com/sromanhu/CVE-2023-44760_ConcreteCMS-Stored-XSS---TrackingCodes
Associated Vulnerability
Title:PortlandLabs Concrete CMS 跨站脚本漏洞 (CVE-2023-44760)
Description:Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. Also, the exploitation method claimed by "sromanhu" does not provide any access to a Concrete CMS session, because the Concrete CMS session cookie is configured as HttpOnly.
Description
Multiple Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics
Readme
# ConcreteCMS Stored XSS v.9.2.1

## Author: (Sergio)

**Description:** Multiple Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Header and Footer Tracking Codes of "SEO & Statistics" allows injecting JavaScript code that will be executed when the user accesses the web page.

---

### POC:


When logging into the panel, we will go to the "SEO & Statistics- Header and Footer Tracking Codes." section off Dashboard Menu.

![image](https://github.com/sromanhu/ConcreteCMS-Stored-XSS---TrackingCodes/assets/87250597/6b7c8a46-9654-41a2-9bae-3f6fbc0d88bf)



### XSS Payload:

```js
<img src=x:alert(alt) onerror=eval(src) alt='XSS Header'>
```


```js
<img src=x:alert(alt) onerror=eval(src) alt='XSS Footer'>
```



In the following image you can see the embedded code that executes the payload in the main web.
![image](https://github.com/sromanhu/ConcreteCMS-Stored-XSS---TrackingCodes/assets/87250597/863d688b-070d-45fd-af4a-5d6c2d8eeb61)


![image](https://github.com/sromanhu/ConcreteCMS-Stored-XSS---TrackingCodes/assets/87250597/b62dbf4b-0bed-4457-b0de-d10eb215451a)



We can use a payload to steal cookies and obtain them when a user logs on to the website in the two vulnerable fields.

![image](https://github.com/sromanhu/ConcreteCMS-Stored-XSS---TrackingCodes/assets/87250597/c48195a2-8eb8-4c38-b1bb-1097ac8f1fd3)


![image](https://github.com/sromanhu/ConcreteCMS-Stored-XSS---TrackingCodes/assets/87250597/9faf9541-1dd9-4490-abba-808e702a643f)


Original session cookie.

![image](https://github.com/sromanhu/ConcreteCMS-Stored-XSS---TrackingCodes/assets/87250597/12dce455-d11a-47b9-8cdf-6c18d507c40f)



Request captured with the external server:

![image](https://github.com/sromanhu/ConcreteCMS-Stored-XSS---TrackingCodes/assets/87250597/e70817ae-140b-4943-abd8-e585f5593556)




</br>

### Additional Information:
https://www.concretecms.com/

https://owasp.org/Top10/es/A03_2021-Injection/
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →