ManhNho Apr 4th, 2018 (edited) 653 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- # Exploit Title: iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site title" field.
- # Date: 02/04/2018
- # Exploit Author: ManhNho
- # Contact: https://facebook.com/aviciicloud
- # Vendor Homepage: https://www.iscripts.com
- # Demo Page: https://www.demo.iscripts.com/easycreate/demo/
- # Version: 3.2.1
- # Tested on: Windows 10
- # Category: Webapps
- # CVE: CVE-2018-9236
- 1. Description
- iScripts Easycreate 3.2.1 is affected by a XSS vulnerability
- 2. PoC
- > #1. from "user section", access to "dashboard" and select "Created from saved items" with edit option
- > #2. In "edit site" action
- > Inject </title>"><script>alert('1')</script> to "Site title" field
- > #3. Save and change! refresh and we have alert pop up!
RAW Paste Data