CVE-2021-38603 PoC — PluXml 跨站脚本漏洞

Source

https://github.com/KielVaughn/CVE-2021-38603

Associated Vulnerability

Title:PluXml 跨站脚本漏洞 (CVE-2021-38603)
Description:PluXml是一个免费的开源内容管理系统，不需要数据库即可工作。 PluXML存在跨站脚本漏洞，该漏洞源于 core/admin/profil.php 页面允许通过 Information 字段实现存储型 XSS 漏洞。

Readme

# CVE-2021-38603

A stored cross site scripting vulnerability is present on the Profile edit page in the **Information:** field for each user.

## http://\<hostname/server ip\>/core/admin/profil.php

### Vulnerable Fields:

- Information:

![User Profile Page](PluXML_Profile.png)

Once inserted, XSS can be triggered by visiting any page/article created by that particular user.

![Profile XSS](PluXML_Profile_Stored_XSS.png)

File Snapshot


 [4.0K]  /data/pocs/c4cbb652b612bb9192245f90ce39b9e5d17df9d1
├── [ 32K]  PluXML_Profile.png
├── [554K]  PluXML_Profile_Stored_XSS.png
└── [ 427]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.