Отправить #182497: MineStack 1.0 - Stored XSSИнформация

Название	MineStack 1.0 - Stored XSS
Описание	# Exploit Title: MineStack 1.0 - Stored XSS # Exploit Author: skalvin aka (CraCkEr) # Date: 14/07/2023 # Vendor: Bug Finder # Vendor Homepage: https://bugfinder.net/ # Software Link: https://bugfinder.net/product/minestack-a-cloud-mining-platform/10 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Description Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. Path: /mineStack/user/ticket/create POST parameter 'message' is vulnerable to XSS ----------------------------------------------------------- POST /mineStack/user/ticket/create HTTP/2 Content-Disposition: form-data; name="subject" Anything -----------------------------20515916954165612239365932815 Content-Disposition: form-data; name="message" <script>alert(1)</script> ----------------------------------------------------------- ## Steps to Reproduce: 1. Login as a (Normal User) 2. Go to [Support Ticket] on this Path: https://website/mineStack/user/ticket 3. Click on [Create Ticket] on this Path: https://website/mineStack/user/ticket/create 4. Enter Any Subject 5. Inject your XSS Payload in [Message Box] 6. Click on [Submit] 7. When ADMIN visit [SUPPORT TICKETS] on this Path : https://website/mineStack/admin/tickets and Open the [New Pending Ticket] 8. XSS Will Fire and Executed on his Browser [-] Done
Пользователь	skalvin (UID 49463)
Представление	13.07.2023 23:47 (3 лет назад)
Модерация	21.07.2023 22:47 (8 days later)
Статус	принято
Запись VulDB	235161 [Bug Finder MineStack 1.0 Ticket /user/ticket/create Сообщение межсайтовый скриптинг]
Баллы	17

◂ Предыдущий Обзор Далее ▸

Want to know what is going to be exploited?

We predict KEV entries!