CVE-2015-1058

AdaptCMS 3.0.3 - Cross-Site Scripting via Multiple Admin Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1058. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit leverages an authenticated arbitrary file upload vulnerability in AdaptCMS 3.0.3 to upload a malicious PHP file, enabling remote command execution via a web shell. The PoC includes authentication handling and a command execution loop.

Description

Multiple cross-site scripting (XSS) vulnerabilities in AdaptCMS 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Category][title] parameter to admin/categories/add, (2) data[Field][title] parameter to admin/fields/ajax_fields/, (3) name property in a basicInfo JSON object to admin/tools/create_theme, (4) data[Link][link_title] parameter to admin/links/links/add, or (5) data[ForumTopic][subject] parameter to forums/off-topic/new.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · pythonwebappsphp

https://www.exploit-db.com/exploits/35710

View Code ZIP pw:eip

This exploit leverages an authenticated arbitrary file upload vulnerability in AdaptCMS 3.0.3 to upload a malicious PHP file, enabling remote command execution via a web shell. The PoC includes authentication handling and a command execution loop.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: AdaptCMS 3.0.3

Auth required

Prerequisites: Valid credentials for AdaptCMS admin panel · Network access to the target

MITRE ATT&CK