ec14967376
5 changes to exploits/shellcodes/ghdb Azon Dominator Affiliate Marketing Script - SQL Injection Customer Support System 1.0 - Stored XSS Microweber 2.0.15 - Stored XSS Xhibiter NFT Marketplace 1.10.2 - SQL Injection
17 lines
No EOL
737 B
Text
17 lines
No EOL
737 B
Text
# Exploit Title: Customer Support System 1.0 - (XSS) Cross-Site
|
|
Scripting Vulnerability in the "subject" at "ticket_list"
|
|
# Date: 28/11/2023
|
|
# Exploit Author: Geraldo Alcantara
|
|
# Vendor Homepage:
|
|
https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
|
|
# Software Link:
|
|
https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
|
|
# Version: 1.0
|
|
# Tested on: Windows
|
|
# CVE : CVE-2023-49976
|
|
*Steps to reproduce:*
|
|
1- Log in to the application.
|
|
2- Visit the ticket creation/editing page.
|
|
3- Create/Edit a ticket and insert the malicious payload into the
|
|
"subject" field/parameter.
|
|
Payload: <dt/><b/><script>alert(document.domain)</script> |