# Exploit Title: News247 - News Magazine (CMS) v1.0 – Stored Cross Site Scripting (XSS) # Exploit Author: Ravinder Verma # Date: Septmeber 14, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/14952/news247-news-magazine-php-script.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/news247.zip # Tested on: Kali Linux, Apache, Mysql # Vendor: 255programmer # Version: v1.0 # CVE [Reserved] : CVE-2021-41731 # Exploit Description:
# News247 – News Magazine (CMS) v1.0 suffers from a stored cross site
scripting (XSS) Vulnerability. Admin can publish blogs under various
categories. When creating new “blog category”, if admin give malicious
payload like *””><img src=x onerror=alert(document.cookie)>* into the
category name field and publish that blog. Then it allows you to execute
page. It can be abused to steal session cookies, perform requests in the
name of the victim or for phishing attacks.