================================== Explay CMS <= 2.1 Persistent XSS and CSRF ================================== Discovered by hodik Mail: n.khodov@gmail.com 1. Persistent XSS This CMS has bad anti-XSS filter that cut only some basic vectors. The loginned user can inject persistent XSS by adding to article text or comment

2. CSRF User can get admin rights if admin open malicious page that contain, for instance:

or merely insert it to comment or article text.