| Title | Eastnets PaymentSafe 2.5.26.0 Cross Site Scripting |
|---|
| Description | A Stored Cross-Site Scripting (XSS) vulnerability was identified in the BIC Search functionality of the application. This flaw allows an attacker to inject malicious JavaScript payloads, which execute when another user interacts with the compromised entry, potentially leading to session hijacking and full account takeover.
1. Login to the application. (Attacker needs credentials, could be internal actor)
2. Navigate to "Utilities" and click on "BIC Search"
3. Add or edit the entry and add the payload as "<img/src="x" onmouseover="confirm(document.domain)">" exact payload needs to be entered, please copy and paste as the special character like > and < is a a bypass for aspx applications.
4. Save it and hover the mouse on the injected payload, xss payload will execute. |
|---|
| Source | ⚠️ https://drive.google.com/file/d/1uTRLoCnOGcXtSpoZO8xyPakhIO4MbCMk/view?usp=sharing |
|---|
| User | kushkira (UID 60170) |
|---|
| Submission | 02/02/2025 12:25 (1 Year ago) |
|---|
| Moderation | 02/15/2025 15:38 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 295953 [Eastnets PaymentSafe 2.5.26.0 BIC Search cross site scripting] |
|---|
| Points | 20 |
|---|