exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

b2evolution CMS 6.11.6 Cross Site Scripting

b2evolution CMS 6.11.6 Cross Site Scripting
Posted Feb 10, 2021
Authored by Nakul Ratti, Soham Bakore

b2evolution CMS version 6.11.6 suffers from multiple cross site scripting vulnerabilities.

tags | exploit, xss
advisories | CVE-2020-22839, CVE-2020-22841
SHA-256 | 9bc033021181cc828f78a45246fdbf842d7af5b01e9360d87e262f8067d9e475

b2evolution CMS 6.11.6 Cross Site Scripting

Change Mirror Download
# Exploit Title: *Reflected XSS in b2evolution CMS 6.11.6 via tab3
parameter in evoadm.php*
# CVE : *CVE-2020-22839*
# Date: 10/02/2021
# Exploit Author: Nakul Ratti, Soham Bakore
# Vendor Homepage: https://b2evolution.net/
# Software Link:
https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux


Vulnerable File:
--------------------------
http://host/evoadm.php

Vulnerable Issue:
--------------------------
Tab3 parameter has no input validation.

--------------------------Proof of Concept-----------------------
Steps to Reproduce:

1. Send the following URL *http://HOST/evoadm.php <http://host/evoadm.php>?*
*.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1*
to
the logged in victim using any social engineering technique.
2. When an unsuspecting user with high privileges opens this URL, XSS will
be triggered which will execute the malicious javascript payload in users
browser.
3. The vulnerable parameter in this case is “*tab3*”.



------

# Exploit Title: b2evolution 6.11.6 - 'plugin name' Stored XSS
# Date: 09/02/2021
# Exploit Author: Soham Bakore, Nakul Ratti
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux
# CVE : CVE-2020-22841


--------------------------Proof of Concept-----------------------

1. Login with an account having high privileges
2. Navigate to System -> Plugins and select any plugin
3. Change the plugin name and enter the following payload "><svg/onload=alert(123)> in the name parameter
4. Payload gets stored in the database
5. The payload gets executed after the victim checks the plugin page.
6. This vulnerability needs high privilege and can affect other users with similar privileges


Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close