Lucene search
Hainguyen0207F877E65A-E647-457B-B105-7E5C9F58FB43HistorySep 01, 2023 - 7:31 p.m.
Store XSS in Mail Setup
2023-09-0119:31:04
hainguyen0207
www.huntr.dev
7
xss
mail setup
payload injection
security flaw
admin page
configuration
0.0005 Low
EPSS
Percentile
17.1%
Description
I noticed, your website is very secure.
But you overlooked a flaw XSS .
Proof of Concept
Detail:
1 .Login vs admin demo account and access admin page.
2 .Go to Configuration ==> Mail setup.
3 .Insert payload into Password:
test"><script>alert(document.domain)</script>
4 .Click save configuration ==> detect XSS
Video Poc
https://drive.google.com/file/d/1B9xJPGnRSL6HvZOri7kp9TD3LZnUvaHA/view?usp=drive_link
Related
cve
cve
CVE-2023-5316
2023-09-30 01:15:39
osv
osv
CVE-2023-5316
2023-09-30 01:15:39
phpMyFAQ Cross-site Scripting vulnerability
2023-09-30 03:31:49
nvd
nvd
CVE-2023-5316
2023-09-30 01:15:39
prion
prion
Cross site scripting
2023-09-30 01:15:00
cvelist
cvelist
CVE-2023-5316 Cross-site Scripting (XSS) - DOM in thorsten/phpmyfaq
2023-09-30 00:00:17
github
github
phpMyFAQ Cross-site Scripting vulnerability
2023-09-30 03:31:49
openvas
openvas
phpMyFAQ < 3.1.18 Multiple Vulnerabilities
2023-10-03 00:00:00