alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~291~~	Closed	~~Stored XSS via Default Credentials and Unsafe File Uplo~~ ...	saman	Task Description Hello Security Team, During a security review, I identified a vulnerability on one of your subdomains that is running BoidCMS. The service is currently accessible using default credentials, which allows unauthorized access to the CMS panel. After logging in, it is possible to upload HTML files to the server. The input fields (such as the description field) are not properly sanitized, allowing the injection of JavaScript code. As a result, when the uploaded file’s URL is accessed, the injected script is executed, leading to a Stored Cross‑Site Scripting (XSS) vulnerability that affects any user who visits the link. The root cause appears to be insecure default configuration, unrestricted HTML file upload, and lack of input validation. For clarity and verification, I have attached a video Proof‑of‑Concept demonstrating the full exploitation flow. This report is submitted responsibly and solely for remediation purposes. Urls : https://boidcms.alwaysdata.net/admin Best regards, saman

~~291~~

Closed

~~Stored XSS via Default Credentials and Unsafe File Uplo~~ ...

Task Description

Hello Security Team,

During a security review, I identified a vulnerability on one of your subdomains that is running BoidCMS. The service is currently accessible using default credentials, which allows unauthorized access to the CMS panel.

After logging in, it is possible to upload HTML files to the server. The input fields (such as the description field) are not properly sanitized, allowing the injection of JavaScript code.
As a result, when the uploaded file’s URL is accessed, the injected script is executed, leading to a Stored Cross‑Site Scripting (XSS) vulnerability that affects any user who visits the link.

The root cause appears to be insecure default configuration, unrestricted HTML file upload, and lack of input validation.
For clarity and verification, I have attached a video Proof‑of‑Concept demonstrating the full exploitation flow.
This report is submitted responsibly and solely for remediation purposes.

Urls :
https://boidcms.alwaysdata.net/admin

Best regards,
saman

Showing tasks 1 - 1 of 1 Page 1 of 1

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task