CVE-2018-5370

Vulnerability

BizLogic xnami 1.0 suffers from a persistent (stored) cross-site scripting (XSS) vulnerability via the comment parameter in the addComment POST action to the /media/ajax URI. The comment system does not sanitize or validate user-supplied input before storing it, and the payload is executed when any user views the media page. All versions of xnami 1.0 are affected [1][2].

Exploitation

An attacker can post a comment containing malicious JavaScript by sending a POST request to http://{target}/media/ajax with the parameters method=addComment, comment=, and mediaId=. The attacker does not require authentication because the comment system allows anonymous posting. The payload is stored and executed when any user, including administrators, visits the media page containing the injected comment [2].

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of the victim's browser. Since the user login interface exists, this can be used to steal session cookies of authenticated users, potentially leading to account takeover and compromise of administrative accounts [2].

Mitigation

As of the publication date (2018-01-16), no patched version has been released. The vendor (bizlogicdev.com) has not provided a fix or workaround. Users are advised to disable the comment functionality or implement input sanitization and output encoding until a vendor-supplied patch is available [1][2].