Stored XSS in navigatecms

Issue #3 resolved
tripti misra created an issue

Target url :http://demo.navigatecms.com/navigate/navigate.php?fid=items&act=edit&id=19&tab=2&tab_language=en

Vulnerable parameter : Title

About : Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use.

POC : Step 1 : open below URL : http://demo.navigatecms.com/navigate/navigate.php?fid=items&act=edit&id=19&tab=2&tab_language=en

step1.JPG

step 2 : insert malicious script inside title parameter. <img src=xss onerror=alert(1)>

step 3: below image, you can see malicious script will get executed. step2.JPG

Imapact : XSS is almost limitless, but they commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine

Mitigation : 1. Input sanitization 2. Output encoding 3. Input validation

Comments (2)

  1. Navigate CMS repo owner

    We've fixed the issue in the demo and in our repository: https://bitbucket.org/navigatecms/navigatecms/commits/586e67ce1c43d459f6b00221fb30be26fcbfb866

    We'd like to comment that it is very unlikely that a user who has a legit access to a navigate instance wants to do an XSS attack (would be like shoot oneself on the foot). In fact, if someone manages to access the backend, he can do much more harm than that.

    Anyway your report uncovered another internal issue which has already been fixed by the same commit.

    Thank you very much.

  2. Log in to comment