Lucene search
31300axdev4E111C3E-6CF3-4B4C-B3C1-A540BF30F8FAHistoryAug 19, 2023 - 11:50 a.m.
Reflected xss in installation space parameter
2023-08-1911:50:43
31300axdev
www.huntr.dev
10
reflected xss
installation space parameter
web application security
code injection
validation
local file enumeration
bug bounty
0.002 Low
EPSS
Percentile
52.3%
Description
Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when an attacker injects malicious code, usually in the form of scripts, into a web application. This code is then executed by unsuspecting users who visit the affected web page. in this case the path of ./install/index.php?space=XSS is vulnerable to this attack, the line 59 takes input without any validation.
I should mention that local file enumeration is also possible using the error: <FILE> does not exist and if the file do exist we dont any error.
Proof of Concept
install/index.php?1692443074&space=../index.phv"><img%20src=1%20onerror=alert(1)>
screen shot of xss: https://wormhole.app/YXAjY#4tugWnQRULX2djrg_d-nAQ
References
Related
veracode
veracode
Cross-site Scripting (XSS)
2023-08-22 10:33:00
cvelist
cvelist
CVE-2023-4451 Cross-site Scripting (XSS) - Reflected in cockpit-hq/cockpit
2023-08-20 14:04:35
nuclei
nuclei
Cockpit - Cross-Site Scripting
2023-10-11 15:11:07
cve
cve
CVE-2023-4451
2023-08-20 15:15:29
nvd
nvd
CVE-2023-4451
2023-08-20 15:15:29
prion
prion
Cross site scripting
2023-08-20 15:15:00
osv
osv
CVE-2023-4451
2023-08-20 15:15:29
Cockpit Cross-site Scripting vulnerability
2023-08-20 15:30:36
github
github
Cockpit Cross-site Scripting vulnerability
2023-08-20 15:30:36