Lucene search
Iamshooter998C80CAA0-DC89-43F2-8F5F-DB02D2669046HistoryApr 20, 2022 - 1:37 p.m.
Store XSS in title parameter executing at EditUser Page & EditProducto page
2022-04-2013:37:56
iamshooter99
www.huntr.dev
13
xss
injection
web application
EPSS
0.001
Percentile
21.4%
Description
Cross-site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.
Proof of Concept
- Login as Normal user.
- Click on Options and select user.
- Set title as <script>alert(document.domain)</script> and save. It will store the XSS payload.
- log in to any account, i.e. admin.
- Click on the top right corner i.e EditUser executing xss.
Video PoC
EditUser- https://drive.google.com/file/d/1zHI5GNU7JFUL5h6e64tnUFg4lXzqECRU/view?usp=sharing
EditProducto- https://drive.google.com/file/d/1Z2fcc6DF-4eFpB1DAok3XMrtjUtYWo5M/view?usp=sharing
References
Related
veracode
veracode
Cross-Site Scripting (XSS)
2022-04-26 04:35:10
cve
cve
CVE-2022-1457
2022-04-25 10:15:09
prion
prion
Cross site scripting
2022-04-25 10:15:00
github
github
Cross site scripting in facturascripts
2022-04-26 00:00:43
osv
osv
CVE-2022-1457
2022-04-25 10:15:09
Cross site scripting in facturascripts
2022-04-26 00:00:43
cvelist
cvelist
nvd
nvd
CVE-2022-1457
2022-04-25 10:15:09