IbuyuCMS Cross-Site Scripting Vulnerability in Add Article Page

A cross-site scripting (XSS) vulnerability has been identified in IbuyuCMS versions through 2.6.3. The issue resides in the Add Article Page component, specifically within the file /admin/article.php?a=mod. The vulnerability is triggered by manipulating the Title argument, allowing for the injection of malicious scripts. This stored XSS vulnerability can be exploited remotely, with public proof-of-concept exploits available.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content. This could lead to the theft of sensitive information such as session cookies and login credentials, or facilitate other malicious actions like redirecting users to phishing sites or delivering malware.

Reproduction

To reproduce this vulnerability, log into the IbuyuCMS admin panel and navigate to the Add Article section. Inject XSS payloads into the Title field, such as an image tag with an onerror attribute. After saving the article, the injected script will execute when the article is viewed, demonstrating the cross-site scripting vulnerability.