# Exploit Title: Cross site scripting(XSS)
# Author: nu11secur1ty
# Date: 02.27.2021
# Vendor: https://www.concrete5.org/download
# Link: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3111
# CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3111


[Exploit]
# Place
- Navigate to entries directory
concrete5-8.5.4/index.php/dashboard/express/entries/

# PoC
- Copy and paste the int_string in to Handle field
nu11secur1ty0000000111111100101010100100100100101010101

- fill in the remaining fields and save
- This can inform the attacker to prepare a nasty MySQL injection!

-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://www.exploit-db.com/
https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>