osclass manager - XSS - CXSecurity.com

osclass manager - XSS

2019.03.31

Salvatrucha (DZ)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

software homepage : https://osclass.org/

>go to website home page
edit language
if you see the request in GET as example.com/?locale=language_country (vulnerable)
use payload : /?locale=fr_FR%20src=--"><script>alert('Salvatrucha')</script>

>for developpers :
id you're using osclass check the index.php 
in the language the osvlass doesn't filter the entities of the language name

>vulnerable code :
$language = $_GET['$locale']
fix it by adding the htmlspecialchars() function
$language = htmlspecialchars($_GET['$locale'])

>examples of vulnerable websites : 
toiledz.com

>check here for vulnerable sites : https://trends.builtwith.com/websitelist/OS-Class

References:

Salvatrucha

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

osclass manager - XSS

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.