Hi Nukeviet Team.

I managed to exploit Stored XSS in Nukeviet CMS. Vulnerability is being exploited from the privilaged user account. Vulnerability suffers from imporer input encoding and sanitization of the Link Parameter.

1. Navigate to Admin Panel which is located at /nukeviet/admin/index.php
2. Next navigate to Navigation Bar option:

3. Navigate to "Top Menu" (location: /admin/index.php?language=en&nv=menu&op=rows&mid=1)
4. Add item with following values and click Save:
   Item Name: XSSTEST
   Link: "> <scr<script>ipt>alert(document.domain)</scr<script>ipt>

5. Item should be saved as follows:

6. Next visit the website as a regular non-privilaged user or an admin user. XSS Alert should appear.

There are many affected input fields of the same issue in your CMS for example :

1. "Voting Option" (/nukeviet/admin/index.php?language=en&nv=voting) -> "Link to Page" * Modify second option from the list as it is not checking whether input is a URL or not:

Visit voting page(/nukeviet/en/voting/) as a regular or admin user - XSS alert should appear:

It is reasonable to fix the issue as the vulnerability would allow privilaged user who exploit the vulnerability to steal other user's or admin's session cookies which lead to account takeover and manipulating the voting results.

Encode and sanitize all parameters input fields.

OWASP Cross Site Scripting Prevention Cheat Sheet:

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html