Zotonic < 0.47.0 mod_admin - Cross-Site Scripting

ID: 101409
CVE: None
Download vulnerable application: None
# Exploit Title: Zotonic <=0.46 mod_admin (Erlang) - Reflective Cross-Site Scripting
# Date: 24-04-2019
# Exploit Author: Ramòn Janssen
# Researchers: Jan-martin Sijs, Joost Quist, Joost Vondeling, Ramòn Janssen
# Vendor Homepage: http://zotonic.com/
# Software Link: https://github.com/zotonic/zotonic/releases/tag/0.46.0
# Version: <=0.46
# CVE : CVE-2019-11504

Attack type

Code Execution

Zotonic versions prior to 0.47 have multiple authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in the management module. The vulnerabilitie can be exploited when an authenticated user with administrative permissions visits the crafted URL (i.e. when phished or visits a website containing the URL). The XSS effects the following URLs and parameters of the management module:
- /admin/overview/ [qcat, qcustompivot, qs]
- /admin/users/ [qs]
- /admin/media/ [qcat,qcustompivot, qs]

Example: https://[host]/admin/overview?qcustompivot="><script>prompt(‘XSS’)</script>

Affected source code file zotonic_mod_admin:
- zotonic_mod_admin_identity\priv\templates\_admin_sort_header.tpl
- zotonic_mod_admin_identity\priv\templates\admin_users.tpl

1.3.0 (www01)