Zotonic < 0.47.0 mod_admin - Cross-Site Scripting 2019-05-03 21:05:16

# Exploit Title: Zotonic &lt;=0.46 mod_admin (Erlang) - Reflective Cross-Site Scripting
# Date: 24-04-2019
# Exploit Author: Ram&ograve;n Janssen
# Researchers: Jan-martin Sijs, Joost Quist, Joost Vondeling, Ram&ograve;n Janssen
# Vendor Homepage: http://zotonic.com/
# Software Link: https://github.com/zotonic/zotonic/releases/tag/0.46.0
# Version: &lt;=0.46
# CVE : CVE-2019-11504

Attack type

Code Execution

Zotonic versions prior to 0.47 have multiple authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in the management module. The vulnerabilitie can be exploited when an authenticated user with administrative permissions visits the crafted URL (i.e. when phished or visits a website containing the URL). The XSS effects the following URLs and parameters of the management module:
- /admin/overview/ [qcat, qcustompivot, qs]
- /admin/users/ [qs]
- /admin/media/ [qcat,qcustompivot, qs]

Example: https://[host]/admin/overview?qcustompivot=&quot;&gt;&lt;script&gt;prompt(&lsquo;XSS&rsquo;)&lt;/script&gt;

Affected source code file zotonic_mod_admin:
- zotonic_mod_admin_identity\priv\templates\_admin_sort_header.tpl
- zotonic_mod_admin_identity\priv\templates\admin_users.tpl