Exploit for Concrete5 8.5.4 Cross Site Scripting CVE-2021-3111

Name: Exploit for Concrete5 8.5.4 Cross Site Scripting CVE-2021-3111
Rating: 5 (164 reviews)

2021-03-29 | CVSS 3.5

## https://sploitus.com/exploit?id=PACKETSTORM:161997
# Exploit Title: Concrete5 8.5.4 - 'name' Stored XSS  
# Date: 2021-01   
# Exploit Author: Quadron Research Lab  
# Version: Concrete5 8.5.4   
# Tested on: Windows 10 x64 HUN/ENG Professional  
# Vendor: Concrete5 CMS (https://www.concrete5.org)  
# CVE: CVE-2021-3111  
  
[Suggested description]  
The Express Entries Dashboard inConcrete5 8.5.4 allows stored XSS via the name field of a new data object at anindex.php/dashboard/express/entries/view/ URI.  
  
[Attack Vectors]  
Creating a new data object, the name field is not filtered. It is possible to place JavaScript code. [Stored XSS]  
  
Proof of Concept  
https://github.com/Quadron-Research-Lab/CVE/blob/main/CVE-2021-3111.pdf