| Title | playSMS 1.4.3 HTML Injection |
|---|
| Description | PlaySMS 1.4.3 has authenticated HTML Injection in Phonebook, The manipulation of the argument name/email leads to a HTML Injection vulnerability
1. Authenticate in login page http://192.168.1.20/playsms/index.php?app=main&inc=core_auth&route=login
2. Click in My Account > Phonebook (/index.php?app=main&inc=feature_phonebook&op=phonebook_list)
3. Click in Plus (+) icon to add new Phonebook
4. Add payload <br><h1> Olá </h1></br> in "name" and "Email" field
5. Save and back to My Account > Phonebook |
|---|
| Source | ⚠️ https://github.com/playsms/playsms/tree/master/storage/application/plugin/feature/phonebook |
|---|
| User | Dhimitri (UID 45045) |
|---|
| Submission | 06/12/2024 20:56 (2 years ago) |
|---|
| Moderation | 06/21/2024 18:27 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 269418 [playSMS 1.4.3 New Phonebook name/email cross site scripting] |
|---|
| Points | 20 |
|---|