Uncovering Privilege Escalation (CVE-2023-24674) and Stored XSS (CVE-2023-24675) Vulnerabilities in Bludit CMS
Whats is Bludit?
Bludit is a free and open-source web application that allows you to create your own website or blog quickly and easily.
However, version 4.0.0 of Bludit contains a vulnerability that we will discuss in this article.
To begin the analysis of the application, it is important to note that there are two types of users: the admin user and the cupcake user who has author permissions.
The author user is able to write and edit their own content, but does not have the same level of permissions as the admin user. This means that while they can contribute to the website or blog, they do not have full control over the application.
- To perform the privilege escalation, all you need to do is access the user’s profile.
2) Once you have accessed the user’s profile, you can make any necessary edits to the user account, such as changing the nickname or other profile information. After making the desired changes, simply click the “save” button to update the user account.
3) By intercepting the request using Burp Suite, I was able to observe that the request was sent using the HTTP method “PUT” to the user “cupcake”.
To perform the privilege escalation, I manipulated the request by inserting the parameter “role”:admin” to grant administrative privileges to the cupcake user. This allowed me to gain elevated access to the application and perform actions that were not available to me previously.
After logging out and then logging back into the application, I was able to see that the “manage” and “settings” options were now available to the cupcake user. This confirms that the privilege escalation was successful and that the cupcake user now has administrative privileges.
By accessing the user section of the application, I was able to confirm that the privilege escalation was successful and that I had indeed become an administrator within the blog. This further highlights the importance of implementing proper security measures to prevent unauthorized access and privilege escalation attacks. ;)
XSS-Stored in “Friendly URL” field (CVE-2023–24675)
By inserting code into the friendly URL name it is vulnerable to Stored Cross Site Scripting (XSS)
Poc: