A stored cross-site scripting (XSS) vulnerability in the Create the function of Zenario CMS v9.4

·

1 min read

Vendor Homepage:

Zenario

Version:

Zenario 9.4

Tested On:

Marcos, review source code

Description:

A vulnerability XSS injection was found in Zenario 9.4. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user's browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more.

Proof of Concept:

  1. Login to account https://demo.zenar.io/admin

image

  1. In the tab menu click on event and create a new event

    image

  2. Inject payload to Menu navigation text, choice menu note menu (simple choice account ), and save the event

       "' <img src="{{7*7}} onerror="alert(1)">\
    

    image

  3. Go to Menu navigation and click on account. Move the mouse to the event then the payload is executed.

    image