ManhNho

CVE-2018-9237

Apr 4th, 2018
1,853
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit Title: iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site Description" field.
  2. # Date: 02/04/2018
  3. # Exploit Author: ManhNho
  4. # Contact: https://facebook.com/aviciicloud
  5. # Vendor Homepage: https://www.iscripts.com
  6. # Demo Page: https://www.demo.iscripts.com/easycreate/demo/
  7. # Version: 3.2.1
  8. # Tested on: Windows 10
  9. # Category: Webapps
  10. # CVE: CVE-2018-9237
  11.  
  12. 1. Description
  13. ====================
  14. iScripts Easycreate 3.2.1 is affected by a XSS vulnerability
  15.  
  16. 2. PoC
  17. ====================
  18. #1. from "user section", access to "dashboard" and select "Created from saved items" with edit option
  19. > #2. In "edit site" action
  20. > Inject "><script>alert('2')</script> to "Site Description field
  21. > #3. Save and change!! refresh and we have alert pop up!
RAW Paste Data