## Title: paymoney-3.3 XSS-Reflected
## Author: nu11secur1ty
## Date: 07.02.2022
## Vendor: https://paymoney.techvill.org/
## Software: paymoney-3.3
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/paymoney/2022/paymoney-3.3

Description:
The parameters first_name and last_name in Users are vulnerable from
XSS-Reflected on Paymoney-3.3. The already authenticated users can be
hijacking the XSRF-Token and they can use it for malicious purposes on
internal and external domains.

STATUS: Medium

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/paymoney/2022/paymoney-3.3)

## Proof and Exploit:
[href](https://streamable.com/fhzvyr)