Zenphoto 1.6 Cross Site Scripting

2023.05.27
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Exploit Title: Zenphoto 1.6 - Multiple stored XSS Application: Zenphoto-1.6 xss poc Version: 1.6 Bugs: XSS Technology: PHP Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/ Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip Date of found: 01-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== ###XSS-1### steps: 1. create new album 2. write Album Description : <iframe src="https://14.rs"></iframe> 3. save and view album http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/ ===================================================== ###XSS-2### steps: 1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users) 2.change postal code as <script>alert(4)</script> 3.if admin user information import as html , xss will trigger poc video : https://youtu.be/JKdC980ZbLY


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top