| عنوان | Authenticated Reflected XSS in Planno 23.04.04 |
|---|
| الوصف | Additional info
If you want to know how it is installed we use the official guide of them for the installation
https://www.planno.fr/installation/
https://www.planno.fr/wp-content/uploads/2023/05/installation_23.04.pdf
Please let me know if you need to me to add more info
Reference(s) info
https://youtu.be/evdhcUlD1EQ
Attack vector(s)
To exploit the vulnerability we must be logged into the system
-once logged in we go to the bottom in the part of "Modifier le commentaire" once we modify the comment we add our payload "><script>alert(1);</script>
there we only click on "Enregistrer" and we get the XSS
-Second vector, we go to the top right and click on the disk symbol "Enregistrer comme modele" we add our payload "><script>alert(1);</script>
and run, and we will have the XSS
The vectors are shown in the PoC video this is the link https://youtu.be/evdhcUlD1EQ
Affected component(s)
There are several components that are vulnerable, first the component to modify a comment and second modify a common model, both are vulnerable to XSS reflected
Other impact
The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example: In a brochureware application, where all users are anonymous and all information is public, the impact will often be minimal. In an application holding sensitive data, such as banking transactions, emails, or healthcare records, the impact will usually be serious. If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users and their data.
|
|---|
| المصدر | ⚠️ https://youtu.be/evdhcUlD1EQ |
|---|
| المستخدم | ph03n1xsp (UID 53845) |
|---|
| ارسال | 12/09/2023 11:22 AM (3 سنوات منذ) |
|---|
| الاعتدال | 16/09/2023 09:57 AM (4 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 239865 [Planno 23.04.04 Comment البرمجة عبر المواقع] |
|---|
| النقاط | 17 |
|---|