Title: Stored Cross-Site Scripting in PyroCMS
CVE ID: CVE-2022-37721
CVSSv3 Base Score: 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Vendor: PyroCMS, Inc.
Products: PyroCMS
Advisory Release Date: 14 November 2022
Advisory URL: https://labs.integrity.pt/advisories/cve-2022-37721
Credits: Discovery by Bruno Barreirinhas <bb[at]integrity.pt>
PyroCMS is vulnerable to a stored XSS when a low privileged user such as an author, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation.
The javascript payload is executed when the affected blog post is loaded in the victim’s browser.
*No official patch released by the vendor
© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy