Vvweb 1.0.5 Stored XSS in Admin Panel Leading to Cookie Theft

Key Information Details Software Type: Web App Software Name: Vvweb Affected Version: 1.0.5 Software Vendor: Vvweb Software Link: https://github.com/gianaz/Vvweb Severity: High CVSS Score: 8.8 CVE Link: TBA Affected Assets: 163+ Discovery Date: January 3, 2025 PoC Exploit: https://gist.github.com/OxHamy/b2674eefdfd1f73af96d29f152c47bcbd Description Vulnerability Description: An XSS vulnerability exists in the endpoint . When a payload is applied here, it compromises the entire site and every endpoint accessed via . Scope of Impact: This vulnerability can be exploited by any user with the roles of "site administrator", "administrator", or "super administrator". Potential Harm: A carefully crafted XSS payload can be used to steal cookies from multiple site administrators, editors, vendors, and other users. Reproduction Steps 1. Log in as a user with the "site administrator" role and navigate to the following endpoint: 2. In the top-left corner, click the "Add Type" button. Here, you can add a post type. In the field, input a payload such as: 3. Whenever someone logs in through the admin panel , this payload will execute, triggering malicious JavaScript designed to silently steal cookies. 4. To set up a cookie-stealing server, save the following PHP script as : https://gist.github.com/OxHamy/b2674eefdfd1f73af96d29f152c47bcbd 5. Start a PHP server to serve the script: Proof of Concept (PoC) Video Video screenshots demonstrate the exploitation process.

Goal Reached Thanks to every supporter — we hit 100%!

Vvweb 1.0.5 Stored XSS in Admin Panel Leading to Cookie Theft