Monstra-Dev 3.0.4 Cross Site Scripting

2018.08.07
Credit: Nainsi Gupta
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

# Exploit Title:Monstra-Dev 3.0.4 Stored Cross Site Scripting # Date: 04-08-2018 # Exploit Author: Nainsi Gupta # Vendor Homepage: http://monstra.org/ # Software Link: https://github.com/monstra-cms/monstra #Published In- https://indiancybersecuritysolutions.com/cve-2018-14922-cross-site-scripting/ # Product Name: Monstra-dev # Version: 3.0.4 # Tested on: Windows 10 (Firefox/Chrome) # CVE : CVE-2018-14922 #POC 1. 1. Go to the site ( http://server.com/monstra-dev/ ) . 2- Click on Registration page (Registration) . 3- Register by giving you name ,mail and soo on... 4 -Now log In i the website. 5.After loggin in click on edit profile and in the frist name and last name copy paste this payload- in firsname paste "><svg/onload=alert(/Nainsi/)> and in Lastname paste "><svg/onload=alert(/Gupta/)> 6. After saving the above changes, click on edit profile page and you will be able to see to Pop up stating Gupta and Nainsi.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top