| Titel | playSMS 1.4.3 HTML Injection |
|---|
| Beschreibung | PlaySMS 1.4.3 has authenticated HTML Injection in Phonebook, The manipulation of the argument name/email leads to a HTML Injection vulnerability
1. Authenticate in login page http://192.168.1.20/playsms/index.php?app=main&inc=core_auth&route=login
2. Click in My Account > Phonebook (/index.php?app=main&inc=feature_phonebook&op=phonebook_list)
3. Click in Plus (+) icon to add new Phonebook
4. Add payload <br><h1> Olá </h1></br> in "name" and "Email" field
5. Save and back to My Account > Phonebook |
|---|
| Quelle | ⚠️ https://github.com/playsms/playsms/tree/master/storage/application/plugin/feature/phonebook |
|---|
| Benutzer | Dhimitri (UID 45045) |
|---|
| Einreichung | 12.06.2024 20:56 (vor 2 Jahren) |
|---|
| Moderieren | 21.06.2024 18:27 (9 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 269418 [playSMS 1.4.3 New Phonebook name/email Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|