Posts

My First CVE found

CVE-2018-11564 - Stored XSS in PageKit CMS <=1.0.13 via image upload using SVG files. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11564 A stored XSS has been found  in PageKit CMS affecting versions <=1.0.13. A user can upload SVG files in the image upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/poc.svg" that will point to http://localhost/pagekit/stora ge/poc.svg . When a user comes along to click that link, it will trigger a XSS attack.