Re: Stored XSS vulnerability in diafan.CMS

[security curmudgeon <jericho () attrition org>]

: Vulnerability ID: HTB22776
: Reference: http://www.htbridge.ch/advisory/stored_xss_vulnerability_in_diafan_cms.html
: Product: diafan.CMS

: Vulnerability Details:
: User can execute arbitrary JavaScript code within the vulnerable application.
: 
: The vulnerability exists due to failure in the 
: "http://host/admin/site/save2/"; script to properly sanitize 
: user-supplied input in "text" variable. Successful exploitation of this 
: vulnerability could result in a compromise of the application, theft of 
: cookie-based authentication credentials, disclosure or modification of 
: sensitive data.

This is the site editor functionality, correct? This requires 
administrative access and is *designed* to allow the admin to enter any 
HTML or script code desired.

If an attacker can access this page, couldn't they do other bad things? Is 
there really a crossing of privilege boundary here?