PHPMailer < 5.2.23 - Cross-Site Scripting

2017.06.25
ir Shahab Shamsi (IR) ir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[-] Title : PHPMailer < 5.2.23 - Cross-Site Scripting [-] Author : Shahab Shamsi [-] Software Link : https://github.com/PHPMailer/PHPMailer [-] Version: [ 5.2.23 ] [-] Tested on : [ Kali , Windows ] [-] Category : Webapps [-] Date : 2017-06-22 Vulnerable page : /code_generator.php Vulnerable Source : 312: echo $from_name; 18: $from_name = $_POST['From_Name'] : ''; 313: echo $from_email; 19: $from_email = $_POST['From_Email'] : ''; 314: echo $to_name; 20: $to_name = $_POST['To_Name'] : ''; 315: echo $to_email; 21: $to_email = $_POST['To_Email'] : ''; POC : http://localhost/code_generator.php step 1 = Go To Web Page = http://localhost/code_generator.php Step 2 = In the box : "From Email Address" AND "To Email Address" Step 3 = input box , Add JavaScript Code : <script>alert('XSS')</script> ************************ * ==> Contact Me : * Telegram : @Shahab_Shamsi * Email : info@securityman.org * WebSilte : WwW.iran123.Org ************************


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top