Menu

"Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting"

Author

"Owais Mehtab"

Platform

aspx

Release date

2019-07-11

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Exploit Title: Stored Cross Site Scripting (XSS) in Sitecore 9.0 rev 171002
# Date: July 11, 2019
# Exploit Author: Owais Mehtab
# Vendor Homepage: http://www.sitecore.net/en
# Version: 9.0 rev. 171002
# Tested on: Sitecore Experience Platform 8.1 Update-3 i.e.; 8.1 rev. 160519
# CVE : CVE-2019-13493

Vendor Description
------------------
Sitecore CMS makes it effortless to create content and experience rich websites that help you achieve your business goals such as increasing sales and search engine visibility, while being straight-forward to integrate and administer. Sitecore lets you deliver sites that are highly scalable, robust and secure. Whether you're focused on marketing, development and design, or providing site content, Sitecore delivers for you.

Description
------------
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Vulnerability Class
--------------------
Cross-site Scripting (XSS) - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Proof of Concept
----------------
File Extension parameter is not properly escaped. This could lead to an XSS attack that could possibly affect administrators,users,editor.

1. Login to application and navigate to "https://example.com/sitecore/shell/Applications/Content Editor.aspx?sw_bw=1"
2. Go to media library and click on any image and edit it
3. Now in Extension input parameter inject any XSS vector like '"><svg=onload=prompt(2)>
Release Date Title Type Platform Author
2019-07-11 "Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting" webapps aspx "Owais Mehtab"
2019-06-25 "BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal" webapps aspx "Aaron Bishop"
2019-06-20 "BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection" webapps aspx "Aaron Bishop"
2019-06-19 "BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution" webapps aspx "Aaron Bishop"
2019-06-19 "BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution" webapps aspx "Aaron Bishop"
2019-06-13 "Sitecore 8.x - Deserialization Remote Code Execution" webapps aspx "Jarad Kopf"
2019-02-12 "BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution" webapps aspx "Dustin Cobb"
2019-01-14 "Umbraco CMS 7.12.4 - Authenticated Remote Code Execution" webapps aspx "Gregory Draperi"
2017-05-05 "Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure" webapps aspx "Usman Saeed"
2018-10-29 "Library Management System 1.0 - 'frmListBooks' SQL Injection" webapps aspx "Ihsan Sencan"
2018-10-24 "Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting" webapps aspx "Dino Barlattani"
2018-10-10 "Ektron CMS 9.20 SP2 - Improper Access Restrictions" webapps aspx alt3kx
2018-08-06 "Sitecore.Net 8.1 - Directory Traversal" webapps aspx Chris
2018-06-04 "EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting" webapps aspx "Chris Barretto"
2018-03-13 "SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities" webapps aspx "SEC Consult"
2017-09-27 "SmarterStats 11.3.6347 - Cross-Site Scripting" webapps aspx sqlhacker
2017-09-13 "ICEstate 1.1 - 'id' SQL Injection" webapps aspx "Ihsan Sencan"
2017-06-14 "KBVault MySQL 0.16a - Arbitrary File Upload" webapps aspx "Fatih Emiral"
2017-05-09 "Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions" webapps aspx "Pesach Zirkind"
2017-05-09 "Personify360 7.5.2/7.6.1 - Improper Access Restrictions" webapps aspx "Pesach Zirkind"
2018-02-02 "IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting" webapps aspx 1n3
2017-12-27 "DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)" webapps aspx "Glafkos Charalambous"
2017-03-15 "Sitecore CMS 8.1 Update-3 - Cross-Site Scripting" webapps aspx "Pralhad Chaskar"
2017-01-17 "Check Box 2016 Q2 Survey - Multiple Vulnerabilities" webapps aspx "Fady Mohammed Osman"
2018-01-24 "Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload" webapps aspx "Paul Taylor"
2018-01-24 "Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Encryption Keys Disclosure" webapps aspx "Paul Taylor"
2016-09-22 "Microix Timesheet Module - SQL Injection" webapps aspx "Anthony Cole"
2016-09-19 "MuM MapEdit 3.2.6.0 - Multiple Vulnerabilities" webapps aspx "Paul Baade & Sven Krewitt"
2017-11-16 "LanSweeper 6.0.100.75 - Cross-Site Scripting" webapps aspx "Miguel Mendez Z"
Release Date Title Type Platform Author
2019-07-11 "Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting" webapps aspx "Owais Mehtab"
2015-08-07 "WordPress Plugin Job Manager 0.7.22 - Persistent Cross-Site Scripting" webapps php "Owais Mehtab"
2017-09-30 "Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow" remote windows "Owais Mehtab"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47106/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/47106/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47106/41494/sitecore-90-rev-171002-persistent-cross-site-scripting/download/", "exploit_id": "47106", "exploit_description": "\"Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting\"", "exploit_date": "2019-07-11", "exploit_author": "\"Owais Mehtab\"", "exploit_type": "webapps", "exploit_platform": "aspx", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse