📄 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036

Description

LEPTON................................................

Basic Information

ID PACKETSTORM:211036

Published Oct 30, 2025 at 00:00

Affected Product

Affected Versions # Exploit Title: LEPTON 7.4.0 - Stored Cross-Site Scripting (XSS)
# Exploit Author: tmrswrr / Hulya KARABAG
# Vendor Homepage: https://lepton-cms.org/
# Software Link: https://lepton-cms.org/media/download_gallery/LEPTON_stable_7.4.0.zip
# Version: LEPTON 7.4.0 stable
# Date: October 29, 2025

#### Vulnerability Description

LEPTON CMS version 7.4.0 contains a stored Cross-Site Scripting (XSS) vulnerability that allows authenticated administrators to inject and execute arbitrary JavaScript code through the Droplets functionality. This vulnerability arises from improper output encoding and lack of content security controls within the Droplets feature execution.

#### Proof of Concept

## Prerequisites
- Valid administrator credentials
- Access to the LEPTON CMS administrative interface

#### Exploitation Steps

1. Authentication
- Log into the LEPTON CMS administration panel with administrator privileges

2. Access Droplets Management
- Navigate to: Menu > Administration > Admin-Tools
- Select the "Droplets" option

3. Create Malicious Droplet
- Click "Create New"
- Enter a droplet name (e.g., xss-droplet)
- In the code field, insert the XSS payload:

echo "<script>alert('XSS!!')</script>";

- Click "Save and Back" to store the droplet

4. Trigger Execution
- Edit or create any page within the CMS
- In the content editor, insert the droplet using the syntax:
[[xss-droplet]]
- Save the page modifications

5. Verify Exploitation
- Preview or visit the modified page
- The JavaScript alert box will be displayed, confirming successful XSS execution
- Any user visiting the affected page will execute the injected script

{
    "lastseen": "2025-10-30T15:16:00",
    "description": "LEPTON................................................",
    "published": "2025-10-30T00:00:00",
    "modified": "2025-10-30T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:211036",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "# Exploit Title: LEPTON 7.4.0 - Stored Cross-Site Scripting (XSS)  \n    # Exploit Author: tmrswrr / Hulya KARABAG  \n    # Vendor Homepage: https://lepton-cms.org/  \n    # Software Link: https://lepton-cms.org/media/download_gallery/LEPTON_stable_7.4.0.zip  \n    # Version: LEPTON 7.4.0 stable  \n    # Date: October 29, 2025  \n     \n    \n    #### Vulnerability Description  \n    \n    LEPTON CMS version 7.4.0 contains a stored Cross-Site Scripting (XSS) vulnerability that allows authenticated administrators to inject and execute arbitrary JavaScript code through the Droplets functionality. This vulnerability arises from improper output encoding and lack of content security controls within the Droplets feature execution.  \n    \n    #### Proof of Concept  \n    \n    ## Prerequisites  \n    - Valid administrator credentials  \n    - Access to the LEPTON CMS administrative interface  \n    \n    #### Exploitation Steps  \n    \n    1. Authentication  \n       - Log into the LEPTON CMS administration panel with administrator privileges  \n    \n    2. Access Droplets Management  \n       - Navigate to: Menu > Administration > Admin-Tools  \n       - Select the \"Droplets\" option  \n    \n    3. Create Malicious Droplet  \n       - Click \"Create New\"  \n       - Enter a droplet name (e.g., xss-droplet)  \n       - In the code field, insert the XSS payload: \n        \n         echo \"<script>alert('XSS!!')</script>\";  \n         \n       - Click \"Save and Back\" to store the droplet  \n    \n    4. Trigger Execution  \n       - Edit or create any page within the CMS  \n       - In the content editor, insert the droplet using the syntax:  \n         [[xss-droplet]]  \n       - Save the page modifications  \n    \n    5. Verify Exploitation  \n       - Preview or visit the modified page  \n       - The JavaScript alert box will be displayed, confirming successful XSS execution  \n       - Any user visiting the affected page will execute the injected script",
    "sourceHref": "https://packetstorm.news/download/211036",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/211036/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply