This article is a part of our Vulnerability Database (back to index)
Cross-site Scripting occurrences in Minicms
A cross-site scripting (XSS) vulnerability exists in Mini CMS V1.11. The vulnerability exists in the article upload: post-edit.php page. (2022-06-13, CVE-2021-41663)
MiniCMS v1.11 was discovered to contain a cross-site scripting (XSS) vulnerability via /mc-admin/page-edit.php. (2022-02-10, CVE-2021-44970)
Cross Site Scripting (XSS) in MiniCMS v1.10 allows remote attackers to execute arbitrary code by injecting commands via a crafted HTTP request to the component "/mc-admin/post-edit.php". (2021-04-28, CVE-2020-17999)
In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie. (2019-07-05, CVE-2019-13341)
In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie. (2019-07-05, CVE-2019-13339)
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186. (2019-07-05, CVE-2019-13340)
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, and CVE-2018-20520. (2019-07-03, CVE-2019-13186)
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php query string, a related issue to CVE-2018-10296 and CVE-2018-16233. (2018-12-27, CVE-2018-20520)
An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php?tag= XSS vulnerability for a state=delete, state=draft, or state=publish request. (2018-08-31, CVE-2018-16298)
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php tags parameter. (2018-08-30, CVE-2018-16233)
An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability. (2018-08-27, CVE-2018-15899)
MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerability in http://example.org/mc-admin/page.php?date={payload} that can result in code injection. (2018-08-20, CVE-2018-1000638)
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php title parameter. (2018-04-22, CVE-2018-10296)
MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter. (2018-04-19, CVE-2018-10227)
Why Cross-site Scripting can be dangerous
Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.
The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:
https://server.com/confirmation?message=Transaction+Complete
what results in:
<span>Confirmation: Transaction Complete</span>
In that case the message can be modified to become a valid Javascript code, e.g.:
https://server.com/confirmation?message=<script>dangerous javascript code here</script>
and it will be executed locally by the user's browser with full access to the user's personal application/browser data:
<span>Confirmation: <script>dangerous javascript code here</script></span>