My-Blog icon indicating copy to clipboard operation
My-Blog copied to clipboard
verified publisher icon ZHENFENG13

Stored XSS - Blog Category

Open NinjaGPT opened this issue 5 months ago • 0 comments

Summary

This XSS vulnerability is different from the previously disclosed CVE-2023-29639 (blog article content) and CVE-2023-29636(blog article tile). This vulnerability occurs when adding blog categories, where the backend implementation lacks strict input validation, allowing XSS payloads to be inserted into the database. The frontend and backend output pages also lack proper encoding, leading to Stored XSS attacks. Additionally, this application has no CSRF protection, enabling attackers to exploit CSRF to trick admin users into adding blog category names containing malicious code.

POC

  • Capture the request and modify categoryName to XSS payload on the endpoint /admin/categories/save, then the malicious code will be stored in database.
Image

SINKS:

  • Access to http://localhost:28083/admin/categories
Image
  • Access to http://localhost:28083/admin/blogs
Image
  • Access to http://localhost:28083/index (any article use this Category)
Image

NinjaGPT avatar Jul 26 '25 07:07 NinjaGPT