`# Exploit Title: Stored Cross-Site Scripting
# Date: 16/12/2019
# Exploit Author: Cyb0r9
# Vendor Homepage: https://www.serv-u.com/ <https://www.serv-u.com/>
# Software Link: https://www.serv-u.com/downloads <https://www.serv-u.com/downloads>
# Version: SOLARWIND Serv-U FTP Server v15.1.7
# Tested on: Windows 10 x64
# CVE : CVE-2019-19829
The application is vulnerable to a XSS stored vulnerability.
Vulnerable parameter : Email
in the context the user's browser session either when the victim logs to the
web client or browses to the Serv-U server login page.
A privilege user could manipulate the affected parameter on an existing
the victim logs into his account.
For example, a successful XSS attack could result in the attacker
redirecting the user to a phishing/malicious site or performing actions as
the victim on the Serv-U application.
** Injection Point in user properties **
# Proof of concept
1) Login as a user that has privileges to create or modify users.
2) Create a new user and add the following payload into the "Email" parameter.
Payload used : "'/><script>alert(7);</script>@gmail.com"'/></script><script>;alert(7);</script>
3) Login as the victim user and observe popup alert.