The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.
References
Link | Resource |
---|---|
https://github.com/BlackCatDevelopment/BlackCatCMS/commits/release-1.4/upload/backend/preferences/ajax_save.php | Patch Third Party Advisory |
https://github.com/BlackCatDevelopment/BlackCatCMS/compare/1.3.6...1.4Beta | Patch Third Party Advisory |
https://www.exploit-db.com/exploits/49565 | Exploit Third Party Advisory VDB Entry |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-02-16T18:23:00
Updated: 2021-02-16T18:23:00
Reserved: 2021-02-16T00:00:00
Link: CVE-2021-27237
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-02-16T19:15:13.010
Modified: 2021-02-17T20:36:21.970
Link: CVE-2021-27237
JSON object: View
Redhat Information
No data.
CWE