{"id":24079,"date":"2025-10-30T10:50:35","date_gmt":"2025-10-30T10:50:35","guid":{"rendered":"http:\/\/localhost\/?p=24079"},"modified":"2025-10-30T10:50:35","modified_gmt":"2025-10-30T10:50:35","slug":"lepton-740-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=24079","title":{"rendered":"\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036"},"content":{"rendered":"

{“lastseen”:”2025-10-30T15:16:00″,”description”:”LEPTON…………………………………………”,”published”:”2025-10-30T00:00:00″,”modified”:”2025-10-30T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:211036″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# Exploit Title: LEPTON 7.4.0 – Stored Cross-Site Scripting (XSS) \\n # Exploit Author: tmrswrr \/ Hulya KARABAG \\n # Vendor Homepage: https:\/\/lepton-cms.org\/ \\n # Software Link: https:\/\/lepton-cms.org\/media\/download_gallery\/LEPTON_stable_7.4.0.zip \\n # Version: LEPTON 7.4.0 stable \\n # Date: October 29, 2025 \\n \\n \\n #### Vulnerability Description \\n \\n LEPTON CMS version 7.4.0 contains a stored Cross-Site Scripting (XSS) vulnerability that allows authenticated administrators to inject and execute arbitrary JavaScript code through the Droplets functionality. This vulnerability arises from improper output encoding and lack of content security controls within the Droplets feature execution. \\n \\n #### Proof of Concept \\n \\n ## Prerequisites \\n – Valid administrator credentials \\n – Access to the LEPTON CMS administrative interface \\n \\n #### Exploitation Steps \\n \\n 1. Authentication \\n – Log into the LEPTON CMS administration panel with administrator privileges \\n \\n 2. Access Droplets Management \\n – Navigate to: Menu \\u003e Administration \\u003e Admin-Tools \\n – Select the \\”Droplets\\” option \\n \\n 3. Create Malicious Droplet \\n – Click \\”Create New\\” \\n – Enter a droplet name (e.g., xss-droplet) \\n – In the code field, insert the XSS payload: \\n \\n echo \\”\\u003cscript\\u003ealert(‘XSS!!’)\\u003c\/script\\u003e\\”; \\n \\n – Click \\”Save and Back\\” to store the droplet \\n \\n 4. Trigger Execution \\n – Edit or create any page within the CMS \\n – In the content editor, insert the droplet using the syntax: \\n [[xss-droplet]] \\n – Save the page modifications \\n \\n 5. Verify Exploitation \\n – Preview or visit the modified page \\n – The JavaScript alert box will be displayed, confirming successful XSS execution \\n – Any user visiting the affected page will execute the injected script”,”sourceHref”:”https:\/\/packetstorm.news\/download\/211036″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/211036\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-10-30T15:16:00″,”description”:”LEPTON…………………………………………”,”published”:”2025-10-30T00:00:00″,”modified”:”2025-10-30T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:211036″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# Exploit Title: LEPTON 7.4.0 – Stored Cross-Site Scripting (XSS) \\n # Exploit Author: tmrswrr \/ Hulya KARABAG \\n #…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-24079","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=24079\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-10-30T15:16:00″,”description”:”LEPTON…………………………………………”,”published”:”2025-10-30T00:00:00″,”modified”:”2025-10-30T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:211036″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# Exploit Title: LEPTON 7.4.0 – Stored Cross-Site Scripting (XSS) n # Exploit Author: tmrswrr \/ Hulya KARABAG n #...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=24079\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-30T10:50:35+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24079#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24079\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036\",\"datePublished\":\"2025-10-30T10:50:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24079\"},\"wordCount\":379,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=24079#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24079\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24079\",\"name\":\"\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-10-30T10:50:35+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24079#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=24079\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24079#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=24079","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036 - zero redgem","og_description":"{“lastseen”:”2025-10-30T15:16:00″,”description”:”LEPTON…………………………………………”,”published”:”2025-10-30T00:00:00″,”modified”:”2025-10-30T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:211036″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# Exploit Title: LEPTON 7.4.0 – Stored Cross-Site Scripting (XSS) n # Exploit Author: tmrswrr \/ Hulya KARABAG n #...","og_url":"https:\/\/zero.redgem.net\/?p=24079","og_site_name":"zero redgem","article_published_time":"2025-10-30T10:50:35+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=24079#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=24079"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036","datePublished":"2025-10-30T10:50:35+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=24079"},"wordCount":379,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=24079#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=24079","url":"https:\/\/zero.redgem.net\/?p=24079","name":"\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-10-30T10:50:35+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=24079#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=24079"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=24079#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 LEPTON 7.4.0 Cross Site Scripting_PACKETSTORM:211036"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/24079","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=24079"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/24079\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=24079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=24079"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=24079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}