CVE-2021-38602 PoC — PluXml 跨站脚本漏洞

Source

https://github.com/KielVaughn/CVE-2021-38602

Associated Vulnerability

Title:PluXml 跨站脚本漏洞 (CVE-2021-38602)
Description:PluXml是一个免费的开源内容管理系统，不需要数据库即可工作。 PluXML存在跨站脚本漏洞，该漏洞源于PluXML 5.8.7 的 Article Editing 功能允许通过标题或内容实现存储型 XSS 漏洞。

Readme

# CVE-2021-38602

A stored cross site scripting vulnerability is present on the Article editing page in version 5.8.7 of PluXML. User input is not properly sanitized in multiple fields.

## Vulnerable Fields:

- Headline (optional):
- Content:

![Create Article Page](PluXML_Create_Article.png)

Once inserted, XSS can be triggered by visiting the posted article at the link mentioned under **Link to article:** near the top of the page.

![Link to Article](PluXML_Link_to_Article.png)

### Headline Stored XSS Example
---

![Headline XSS](PluXML_Headline_Stored_XSS.png)

### Content Stored XSS Example
---

![Content XSS](PluXML_Content_Stored_XSS.png)

File Snapshot


 [4.0K]  /data/pocs/442636e870930ebbadf0c5887ccdbd196a4778d8
├── [3.1K]  PluXML_Content_Stored_XSS.png
├── [ 73K]  PluXML_Create_Article.png
├── [3.6K]  PluXML_Headline_Stored_XSS.png
├── [3.5K]  PluXML_Link_to_Article.png
└── [ 655]  README.md

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!