| Título | Eastnets PaymentSafe 2.5.26.0 Cross Site Scripting |
|---|
| Descrição | A Stored Cross-Site Scripting (XSS) vulnerability was identified in the BIC Search functionality of the application. This flaw allows an attacker to inject malicious JavaScript payloads, which execute when another user interacts with the compromised entry, potentially leading to session hijacking and full account takeover.
1. Login to the application. (Attacker needs credentials, could be internal actor)
2. Navigate to "Utilities" and click on "BIC Search"
3. Add or edit the entry and add the payload as "<img/src="x" onmouseover="confirm(document.domain)">" exact payload needs to be entered, please copy and paste as the special character like > and < is a a bypass for aspx applications.
4. Save it and hover the mouse on the injected payload, xss payload will execute. |
|---|
| Fonte | ⚠️ https://drive.google.com/file/d/1uTRLoCnOGcXtSpoZO8xyPakhIO4MbCMk/view?usp=sharing |
|---|
| Utilizador | kushkira (UID 60170) |
|---|
| Submissão | 02/02/2025 12h25 (há 1 Ano) |
|---|
| Moderação | 15/02/2025 15h38 (13 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 295953 [Eastnets PaymentSafe 2.5.26.0 BIC Search Script de Site Cruzado] |
|---|
| Pontos | 20 |
|---|