Chartered Accountant : Auditor Website 2.0.1 Cross Site Scripting

2018-08-02T00:00:00
ID PACKETSTORM:148790
Type packetstorm
Reporter Vikas Chaudhary
Modified 2018-08-02T00:00:00

Description

                                        
                                            `*******************************************************************************************  
# Exploit Title: Chartered Accountant : Auditor Website 2.0.1 - Reflected , Stored XSS  
# Date: 26.06.2018  
# Site Titel : Find your needs on Domain Name   
# Vendor Homepage: https://www.phpscriptsmall.com/  
# Software Link: https://www.phpscriptsmall.com/product/cms-auditor-website/  
# Category: Web Application  
# Version: 2.0.1  
# Exploit Author: Vikas Chaudhary  
# Contact: https://www.facebook.com/profile.php?id=100011287630308  
# Web: https://gkaim.com/  
# Tested on: Windows 10 -Firefox  
# CVE: CVE-2018-13256  
  
*****************************************************************************************  
  
Proof of Concept:-  
--------------------------  
1. Go to the site ( http://server/auditor/ ) .  
2- Select REGISTER page (Register now) .  
3- Create an account using your Email address => in FIRST NAME , LAST NAME ,and PASSWORD put this script <img src =x onError=alert("VIKAS")>   
4- Now Check your Email and verify it .  
5- Again come to site and login it using your verified Email and Password .  
6- You will having popup VIKAS in you account when you loged in .  
  
***************************************************************************************  
  
`