Montiorr 1.7.6m Cross Site Scripting

2021.04.27
Credit: Ahmad Shakla
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Montiorr 1.7.6m - File Upload to XSS # Date: 25/4/2021 # Exploit Author: Ahmad Shakla # Software Link: https://github.com/Monitorr/Monitorr # Tested on: Kali GNU/Linux 2020.2 # Detailed Bug Description : https://arabcyberclub.blogspot.com/2021/04/monitor-176m-file-upload-to-xss.html An attacker can preform an XSS attack via image upload Steps : 1)Create a payload with the following format : ><img src=x onerror=alert("XSS")>.png 2) Install the database by going to the following link : https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/_install.php 3)Register for a new account on the server by going to the following link : https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php?action=register 4)Login with your credentials on the following link : https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php 5)Go to the following link and upload the payload : https://monitorr.robyns-petshop.thm/settings.php#services-configuration


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top