Cyclos 4.14.7 'groupId' DOM-based XSS Vulnerabilit
Reporter | Title | Published | Views | Family All 7 |
---|---|---|---|---|
Cvelist | CVE-2021-31673 | 1 May 202223:08 | โ | cvelist |
Exploit DB | Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS) | 11 May 202200:00 | โ | exploitdb |
CNVD | Cyclos 4 PRO Cross-Site Scripting Vulnerability | 7 May 202200:00 | โ | cnvd |
NVD | CVE-2021-31673 | 2 May 202200:15 | โ | nvd |
Prion | Cross site scripting | 2 May 202200:15 | โ | prion |
CVE | CVE-2021-31673 | 2 May 202200:15 | โ | cve |
Packet Storm | Cyclos 4.14.7 Cross Site Scripting | 11 May 202200:00 | โ | packetstorm |
# Exploit Title: Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services
# Vendor Homepage: https://www.cyclos.org/
# Version: Cyclos 4.14.7 (and prior)
# Tested on: Ubuntu
# CVE : CVE-2021-31673
# Description:
A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and prior allows remote attackers to inject arbitrary web script or HTML via the 'groupId' parameter.
# Steps to reproduce:
An attacker sends a draft URL
[IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E to victim.
When a victim opens the URL, XSS will be triggered.
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contactย us for a demo andย discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo