b2evolution CMS version 6.11.6 suffers from multiple cross site scripting vulnerabilities.
9bc033021181cc828f78a45246fdbf842d7af5b01e9360d87e262f8067d9e475
# Exploit Title: *Reflected XSS in b2evolution CMS 6.11.6 via tab3
parameter in evoadm.php*
# CVE : *CVE-2020-22839*
# Date: 10/02/2021
# Exploit Author: Nakul Ratti, Soham Bakore
# Vendor Homepage: https://b2evolution.net/
# Software Link:
https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux
Vulnerable File:
--------------------------
http://host/evoadm.php
Vulnerable Issue:
--------------------------
Tab3 parameter has no input validation.
--------------------------Proof of Concept-----------------------
Steps to Reproduce:
1. Send the following URL *http://HOST/evoadm.php <http://host/evoadm.php>?*
*.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1*
to
the logged in victim using any social engineering technique.
2. When an unsuspecting user with high privileges opens this URL, XSS will
be triggered which will execute the malicious javascript payload in users
browser.
3. The vulnerable parameter in this case is “*tab3*”.
------
# Exploit Title: b2evolution 6.11.6 - 'plugin name' Stored XSS
# Date: 09/02/2021
# Exploit Author: Soham Bakore, Nakul Ratti
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux
# CVE : CVE-2020-22841
--------------------------Proof of Concept-----------------------
1. Login with an account having high privileges
2. Navigate to System -> Plugins and select any plugin
3. Change the plugin name and enter the following payload "><svg/onload=alert(123)> in the name parameter
4. Payload gets stored in the database
5. The payload gets executed after the victim checks the plugin page.
6. This vulnerability needs high privilege and can affect other users with similar privileges