| タイトル | Authenticated Reflected XSS in Planno 23.04.04 |
|---|
| 説明 | Additional info
If you want to know how it is installed we use the official guide of them for the installation
https://www.planno.fr/installation/
https://www.planno.fr/wp-content/uploads/2023/05/installation_23.04.pdf
Please let me know if you need to me to add more info
Reference(s) info
https://youtu.be/evdhcUlD1EQ
Attack vector(s)
To exploit the vulnerability we must be logged into the system
-once logged in we go to the bottom in the part of "Modifier le commentaire" once we modify the comment we add our payload "><script>alert(1);</script>
there we only click on "Enregistrer" and we get the XSS
-Second vector, we go to the top right and click on the disk symbol "Enregistrer comme modele" we add our payload "><script>alert(1);</script>
and run, and we will have the XSS
The vectors are shown in the PoC video this is the link https://youtu.be/evdhcUlD1EQ
Affected component(s)
There are several components that are vulnerable, first the component to modify a comment and second modify a common model, both are vulnerable to XSS reflected
Other impact
The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example: In a brochureware application, where all users are anonymous and all information is public, the impact will often be minimal. In an application holding sensitive data, such as banking transactions, emails, or healthcare records, the impact will usually be serious. If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users and their data.
|
|---|
| ソース | ⚠️ https://youtu.be/evdhcUlD1EQ |
|---|
| ユーザー | ph03n1xsp (UID 53845) |
|---|
| 送信 | 2023年09月12日 11:22 (3 年 ago) |
|---|
| モデレーション | 2023年09月16日 09:57 (4 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 239865 [Planno 23.04.04 Comment クロスサイトスクリプティング] |
|---|
| ポイント | 17 |
|---|