October CMS : 3.6.30 Malicious file upload (CVE-2024–45962) - GrimTheRipper - Medium

October CMS : 3.6.30 Malicious file upload (CVE-2024–45962)
GrimTheRipper
·Follow
Sep 3, 2024
--
Description : We have identified a vulnerability that allows an authenticated admin account to upload a PDF file containing malicious javascript code (Stored Cross-Site Scripting) into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.
Affected Component : http://{IP}/admin/media
Payload:
<script>alert(/Grim The Ripper Team by SOSECURE Thailand/)</script>Proof of Concept:
First, login to the Backend Area.
We login to the target application with admin privileges.
Select the Media menu from the top bar.
Go to Documents and select Upload.
Select the file containing the XSS script that you want to upload
Click “Click here” on the right side to open the file.
The XSS payload will run immediately.
Author:
Grim The Ripper Team by SOSECURE Thailand
--
--
Written by GrimTheRipper23 Followers
·9 Following
You get the best out of others when you give the best of yourself
No responses yet
Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams