Codoforum 4.8.3 Cross Site Scripting

2020.01.07
Credit: Prasanth c41m
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Codoforum 4.8.3 - Persistent Cross-Site Scripting # Google Dork: intext:"Powered by Codoforum" # Date: 2020-01-03 # Exploit Author: Prasanth c41m, Vyshnav Vizz # Vendor Homepage: https://codoforum.com/index.php # Software Link: https://codoforum.com/buy # Version: Codoforum 4.8.3 # Tested on: [relevant os] # CVE : [if applicable] # source: https://medium.com/@c41m/b2e1133c6a91? Codoforum is prone to a stored xss vulnerability. An attacker can exploit this issue to creating user with payload and perform cross-site scripting attacks. Codoforum version 4.8.3 is vulnerable. 1. Install Codoforum 4.8.3 in a local server. 2. Goto http://localhost/index.php?u=/user/register 3. Create a user using :- username : "><svg/onload=alert(1)> password : password email : c41m@email.com 4. Now goto http://localhost/admin/index.php?page=users/manage, an XSS alert popup will be triggered here.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top