CVE-2014-8577

Croogo < 2.0.0 - Cross-Site Scripting via Multiple Admin Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-8577. PoCs published by LiquidWorm.

AI-analyzed exploit summary The exploit demonstrates multiple stored XSS vulnerabilities in Croogo 2.0.0 by injecting malicious scripts into various POST parameters. The PoC includes HTML forms with embedded JavaScript payloads that trigger alerts when submitted.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Croogo before 2.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Contact][title] parameter to admin/contacts/contacts/add page; (2) data[Block][title] or (3) data[Block][alias] parameter to admin/blocks/blocks/edit page; (4) data[Region][title] parameter to admin/blocks/regions/add page; (5) data[Menu][title] or (6) data[Menu][alias] parameter to admin/menus/menus/add page; or (7) data[Link][title] parameter to admin/menus/links/add/menu page.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/34959

View Code ZIP pw:eip

The exploit demonstrates multiple stored XSS vulnerabilities in Croogo 2.0.0 by injecting malicious scripts into various POST parameters. The PoC includes HTML forms with embedded JavaScript payloads that trigger alerts when submitted.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Croogo 2.0.0

Auth required

Prerequisites: Access to admin interface · Valid CSRF token

MITRE ATT&CK